IETF Logo Mail Archive

[OAUTH-WG] MAC: Age in nonce

Eran Hammer-Lahav <eran@hueniverse.com> Sat, 19 November 2011 16:42 UTC

Return-Path: <eran@hueniverse.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0D7A021F87D9 for <oauth@ietfa.amsl.com>; Sat, 19 Nov 2011 08:42:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.54
X-Spam-Level:
X-Spam-Status: No, score=-2.54 tagged_above=-999 required=5 tests=[AWL=0.058, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xAJGfBRAWmWt for <oauth@ietfa.amsl.com>; Sat, 19 Nov 2011 08:41:59 -0800 (PST)
Received: from p3plex1out01.prod.phx3.secureserver.net (p3plex1out01.prod.phx3.secureserver.net [72.167.180.17]) by ietfa.amsl.com (Postfix) with SMTP id 2ED0921F86A6 for <oauth@ietf.org>; Sat, 19 Nov 2011 08:41:59 -0800 (PST)
Received: (qmail 28070 invoked from network); 19 Nov 2011 16:41:58 -0000
Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.21) by p3plex1out01.prod.phx3.secureserver.net with SMTP; 19 Nov 2011 16:41:58 -0000
Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.19]) by P3PW5EX1HT003.EX1.SECURESERVER.NET ([72.167.180.21]) with mapi; Sat, 19 Nov 2011 09:41:58 -0700
From: Eran Hammer-Lahav <eran@hueniverse.com>
To: OAuth WG <oauth@ietf.org>
Date: Sat, 19 Nov 2011 09:41:45 -0700
Thread-Topic: MAC: Age in nonce
Thread-Index: Acym0W8ISBrm3AkySJ2N//oMkDobCA==
Message-ID: <90C41DD21FB7C64BB94121FBBC2E7234526735EDF6@P3PW5EX1MB01.EX1.SECURESERVER.NET>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/alternative; boundary="_000_90C41DD21FB7C64BB94121FBBC2E7234526735EDF6P3PW5EX1MB01E_"
MIME-Version: 1.0
Subject: [OAUTH-WG] MAC: Age in nonce
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 19 Nov 2011 16:42:00 -0000

We had a long discussion about what to use for the numerical component of the nonce string. I would like to suggest we use:

   nonce
         REQUIRED.  A unique string generated by the client to allow the
         server to verify that a request has never been made before and
         helps prevent replay attacks when requests are made over an
         insecure channel.  The nonce value MUST be unique across all
         requests with the same MAC key identifier.

         The nonce value MUST consist of an age, a colon character
         (%x25), and a unique string (typically random).  The age
         portion MUST be a monotonically increasing, but not necessarily
         unique, positive integer value.  The change in the age value
         between requests MUST reflect the number of seconds elapsed.
         For example, the age can be a client timestamp expressed as
         seconds since 01-01-1970 or since the credentials were issued
         to the client.  The value MUST NOT include leading zeros (e.g.
         "000273156").  For example: "273156:di3hvdf8"

         To avoid the need to retain an infinite number of nonce values
         for future checks, the server MAY choose to restrict the time
         period after which a request with an old age is rejected.  If
         such a restriction is enforced, the server SHOULD allow for a
         sufficiently large window to accommodate network delays.  The
         server SHOULD use the first age value received from the client
         to establish a method for comparing the server time with that
         of the client.  In addition, the server SHOULD accommodate small
         negative changes in age values caused by differences between
         the multiple clocks of a distributed client configuration
         utilizing more than one device.

This text keeps the age as a seconds count but uses the first request to establish a clock sync on the server side instead of mandating one way to calculate it.

Feedback?

EHL

v2.23.0 | Report a Bug | By Email