NONCE : Web Services Security is Nothing BUT a whole lot of NONCEnse
Nonce is an interesting word. I have been seeing this word so much with WSE works that I swear I dream about it sometimes...
I came across this:
It’s recorded right back into medieval times but was originally created by mistake. It was at first then anes, meaning for the one purpose or occasion, where anes is a variant form of one and then is a defunct form of the. But people misunderstood where the break between words came, and turned then anes into the nanes (said, I think, as though it was spelt nanse). Eventually this evolved into the nonce, perhaps based on widespread mispronunciation. (This isn’t the only word known to have been transformed in this way; for example there’s newt, which was at first an ewt, and nickname, which started life as an eke name.).
This evolved to "the nonce," perhaps based on widespread mispronunciation...I would think that accents are few and far in between in those days, and we still get mispronunciation ? Geez, I wonder what this word will look like after a decade >>> Naunci = Not An Unidentified Number Chosen Inappropriately ??? :)
Very interesting...
And then, from the evolution of this new word, the term “Number Once” came about which brings me to my next point >>> I've seen NONCE being repeated more than once...unlike a UUID or a GUID which is almost unique so how can it be ONCE ?
Anyways, this taken off MS's Web Services Security Addendum >
- /wsse:Nonce
- This optional element specifies a cryptographically random nonce.
- /wsse:Nonce/@EncodingType
- This optional attribute specifies the encoding type of the nonce (see WS-Security's definition of
BinarySecurityToken for valid values). If this attribute isn't specified then the default of Base64 encoding is used.
- /wsu:Created
- This optional element which specifies a timestamp.
- These extensions SHOULD NOT be used unless the plain text password, secret, or password-equivalent is available to both the requestor and the receiver.
Note that the nonce is hashed using the octet sequence of its decoded value...How many of you actually know that ? I know I didnt ;)
Sam Ruby has got an interesting blog on NONCE here