Open TomCJones opened 4 years ago
tplooker
commented
4 years ago There is currently nothing preventing applications from using the id as a nonce, as there is equally nothing preventing applications from declaring and using an explicit nonce field, I agree with all the points you make above in reference to them being valid uses of the id field I am just wondering if there is anything we can add to the spec to make this clearer?
kdenhartog
commented
4 years ago As Paul Dietrich pointed out on that call, some consideration should be taken around the security of combining these pieces of functionality. In particular, is it possible that the behavior of the nonce will conflict the use of ID for message tracking or routing that could potentially lead to confusion and ultimately insecure implementations.
With that in mind, I think the best route would be to make the nonce explicitly separate as we don't have a compactness requirement that would suggest combining them would be the right approach. If there's other reasons other than compactness that we should consider as a benefit to this approach, I'd like to consider them.
Based on a iiw discussion there is a proposal to combine functionality. Here are the reqs - would be interested in solutions.