Nonce Sense

2008-07-08, Comments

[openid icon]

I tried to set up a personal OpenID server here at wordaligned. The process went smoothly enough and a couple of tests on my localhost suggested all was working so I deployed the changes. When I then tried logging in to a website using my shiny new identity I found that, not only had I cocked something up, but, as you can see from the query parameter in my browser’s address bar, the site thought I was a nonce.

[Nonce in the address bar]

Hey, I’m guilty of entering an invalid ID, but I’m no pervert!

In the UK, the term nonce (sometimes spelled “nonse”) is a slang word used to refer to a sex offender and/or child sexual abuser, and thus as an insult.


Once I’d got past the initial shock a quick web search exposed my mistake: in cryptography, a nonce is a number used once. Here’s a reference in the OpenID 2.0 specification.

11.3. Checking the Nonce

To prevent replay attacks, the agent checking the signature keeps track of the nonce values included in positive assertions and never accepts the same value more than once for the same OP Endpoint URL.

Digging deeper, I learn that outside the world of crime and cryptography:

It’s mainly a term of trade among lexicographers and linguists and turns up also in phrases like nonce compound, nonce borrowing and nonce formation.

Michael Quinion

In case you were wondering … this note shares its title, “Nonce Sense”, with a hoax anti-paedophile campaign shown on the controversial comedy show Brass Eye.