[OAUTH-WG] MAC: Age in nonce
Eran Hammer-Lahav <eran@hueniverse.com> Sat, 19 November 2011 16:42 UTC
Return-Path: <eran@hueniverse.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0D7A021F87D9 for <oauth@ietfa.amsl.com>; Sat, 19 Nov 2011 08:42:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.54
X-Spam-Level:
X-Spam-Status: No, score=-2.54 tagged_above=-999 required=5 tests=[AWL=0.058, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xAJGfBRAWmWt for <oauth@ietfa.amsl.com>; Sat, 19 Nov 2011 08:41:59 -0800 (PST)
Received: from p3plex1out01.prod.phx3.secureserver.net (p3plex1out01.prod.phx3.secureserver.net [72.167.180.17]) by ietfa.amsl.com (Postfix) with SMTP id 2ED0921F86A6 for <oauth@ietf.org>; Sat, 19 Nov 2011 08:41:59 -0800 (PST)
Received: (qmail 28070 invoked from network); 19 Nov 2011 16:41:58 -0000
Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.21) by p3plex1out01.prod.phx3.secureserver.net with SMTP; 19 Nov 2011 16:41:58 -0000
Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.19]) by P3PW5EX1HT003.EX1.SECURESERVER.NET ([72.167.180.21]) with mapi; Sat, 19 Nov 2011 09:41:58 -0700
From: Eran Hammer-Lahav <eran@hueniverse.com>
To: OAuth WG <oauth@ietf.org>
Date: Sat, 19 Nov 2011 09:41:45 -0700
Thread-Topic: MAC: Age in nonce
Thread-Index: Acym0W8ISBrm3AkySJ2N//oMkDobCA==
Message-ID: <90C41DD21FB7C64BB94121FBBC2E7234526735EDF6@P3PW5EX1MB01.EX1.SECURESERVER.NET>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/alternative; boundary="_000_90C41DD21FB7C64BB94121FBBC2E7234526735EDF6P3PW5EX1MB01E_"
MIME-Version: 1.0
Subject: [OAUTH-WG] MAC: Age in nonce
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 19 Nov 2011 16:42:00 -0000
We had a long discussion about what to use for the numerical component of the nonce string. I would like to suggest we use: nonce REQUIRED. A unique string generated by the client to allow the server to verify that a request has never been made before and helps prevent replay attacks when requests are made over an insecure channel. The nonce value MUST be unique across all requests with the same MAC key identifier. The nonce value MUST consist of an age, a colon character (%x25), and a unique string (typically random). The age portion MUST be a monotonically increasing, but not necessarily unique, positive integer value. The change in the age value between requests MUST reflect the number of seconds elapsed. For example, the age can be a client timestamp expressed as seconds since 01-01-1970 or since the credentials were issued to the client. The value MUST NOT include leading zeros (e.g. "000273156"). For example: "273156:di3hvdf8" To avoid the need to retain an infinite number of nonce values for future checks, the server MAY choose to restrict the time period after which a request with an old age is rejected. If such a restriction is enforced, the server SHOULD allow for a sufficiently large window to accommodate network delays. The server SHOULD use the first age value received from the client to establish a method for comparing the server time with that of the client. In addition, the server SHOULD accommodate small negative changes in age values caused by differences between the multiple clocks of a distributed client configuration utilizing more than one device. This text keeps the age as a seconds count but uses the first request to establish a clock sync on the server side instead of mandating one way to calculate it. Feedback? EHL
- [OAUTH-WG] MAC: Age in nonce Eran Hammer-Lahav
- Re: [OAUTH-WG] MAC: Age in nonce Blaine Cook
- Re: [OAUTH-WG] MAC: Age in nonce Michael Thomas