- From: Samuel Schlesinger <notifications@github.com>
- Date: Tue, 29 Jul 2025 06:33:47 -0700
- To: w3ctag/design-reviews <design-reviews@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Tuesday, 29 July 2025 13:33:51 UTC
SamuelSchlesinger left a comment (w3ctag/design-reviews#1071) Yes, indeed that is possible with the current design in the explainer. One mitigation we could apply is binding the proof to a nonce provided by the issuer at challenge time, the underlying cryptography supports this. Still, I should clarify, if you have a sink of valid tokens, then you can generate proofs and rate limiting tokens anyways, as we cannot bind the tokens to a device without seemingly violating some of our aims to allow cross-platform compatibility. Currently, this API is on hold, but if we pursue it I will be sure to address the concerns you raised about replay attacks and the inaccurate diagram. -- Reply to this email directly or view it on GitHub: https://github.com/w3ctag/design-reviews/issues/1071#issuecomment-3132566965 You are receiving this because you are subscribed to this thread. Message ID: <w3ctag/design-reviews/issues/1071/3132566965@github.com>
Received on Tuesday, 29 July 2025 13:33:51 UTC