IETF Logo Mail Archive

Re: [jose] DISCUSS: Nonce/Timestamp parameter

Dick Hardt <dick.hardt@gmail.com> Mon, 27 August 2012 20:23 UTC

Return-Path: <dick.hardt@gmail.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9066121F8453 for <jose@ietfa.amsl.com>; Mon, 27 Aug 2012 13:23:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.571
X-Spam-Level:
X-Spam-Status: No, score=-3.571 tagged_above=-999 required=5 tests=[AWL=0.027, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2tXkpTrvsyJR for <jose@ietfa.amsl.com>; Mon, 27 Aug 2012 13:23:18 -0700 (PDT)
Received: from mail-pz0-f44.google.com (mail-pz0-f44.google.com [209.85.210.44]) by ietfa.amsl.com (Postfix) with ESMTP id 126BE21F844F for <jose@ietf.org>; Mon, 27 Aug 2012 13:23:18 -0700 (PDT)
Received: by dadf8 with SMTP id f8so2720017dad.31 for <jose@ietf.org>; Mon, 27 Aug 2012 13:23:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:mime-version:content-type:from:in-reply-to:date:cc :message-id:references:to:x-mailer; bh=5njOFVyAsIte1NfT7Hix0uZS6lqseuzS0wENVDNALD4=; b=ouDBcILk/69tuJJZkDdpnwmXrGAezs6pTjmxQROFhV2eUfNcBikkh96QfIR2OdcDkF D/LqxPvGowXY3HrwPwuC4NCsT11uD5ye6wKiHhOfdPqCChaEicCJEitLImZRacsiHrLA JWPTx/F1Mx7vC0B02a1qi0v/wAEA4z0X2jcR5p2iW4ZufC4D7UReBLKmt7s9WJsg5gpQ ASFmREcthJHSJy7cUob7MQvCajTCEGR1GrFYxiTjVLZWLIrY4Ru3N/ojRg88Ur9+apvK B2F2SsXcMdfD50XZpA12/5nZXPJUduEZLKLe7KbHlXKAGCDenc6EgfYY01vx5rAckViv S49Q==
Received: by 10.68.241.72 with SMTP id wg8mr22557171pbc.96.1346098997827; Mon, 27 Aug 2012 13:23:17 -0700 (PDT)
Received: from [10.0.0.4] (c-24-5-69-173.hsd1.ca.comcast.net. [24.5.69.173]) by mx.google.com with ESMTPS id qp6sm15353910pbc.55.2012.08.27.13.23.12 (version=TLSv1/SSLv3 cipher=OTHER); Mon, 27 Aug 2012 13:23:15 -0700 (PDT)
Mime-Version: 1.0 (Apple Message framework v1278)
Content-Type: multipart/alternative; boundary="Apple-Mail=_190205E2-862D-4B3D-844E-5D5CE2DFCF4B"
From: Dick Hardt <dick.hardt@gmail.com>
In-Reply-To: <CALT9B_Tnz+9=a-NPuUTeSb31fFMi1cJMB-SeM7QJmSh=XrhHTA@mail.gmail.com>
Date: Mon, 27 Aug 2012 13:23:01 -0700
Message-Id: <6C5B4E61-C18F-470A-955C-B099A2208788@gmail.com>
References: <CE8995AB5D178F44A2154F5C9A97CAF402517E00B8B5@HE111541.emea1.cds.t-internal.com> <CE8995AB5D178F44A2154F5C9A97CAF402517E00C0E7@HE111541.emea1.cds.t-internal.com> <8777DAED-4ADA-4691-B5CD-0E5CF308BC1C@gmail.com> <CALT9B_Tnz+9=a-NPuUTeSb31fFMi1cJMB-SeM7QJmSh=XrhHTA@mail.gmail.com>
To: Brian Eaton <beaton@google.com>
X-Mailer: Apple Mail (2.1278)
Cc: Jim Schaad <ietf@augustcellars.com>, jose@ietf.org, Axel Nennker <Axel.Nennker@telekom.de>
Subject: Re: [jose] DISCUSS: Nonce/Timestamp parameter
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Aug 2012 20:23:18 -0000

On Aug 27, 2012, at 1:06 PM, Brian Eaton wrote:

> On Mon, Aug 27, 2012 at 12:11 PM, Dick Hardt <dick.hardt@gmail.com> wrote:
> I have an application for JWT that is not OAuth2.
> 
> Should nonce and timestamp logic go in the application level protocol?

I prefer to NOT have the application level deal with token validity.

>  
> Having said that, nonce's are difficult to implement at scale and I have heard of many sites that don't implement them fully.
> 
> Nonce alone can't be implemented efficiently.  You have to have time stamps as well, otherwise you are stuck storing ever nonce you've ever seen, forever.
> 
> Even nonce + time stamp is challenging in distributed systems.  It adds a lot of complexity.  That complexity is sometimes merited, but not always.

Thanks for confirming my statement.

I have stopped using nonce and only use time stamps lately and have made the system relatively stateless so that a second submission of the token is ok. That may not work for everyone, but I have found that architecture to be easier to implement and scale.

v2.43.4 | Report a Bug | By Email | System Status