- From: Ehsan Toreini <notifications@github.com>
- Date: Wed, 30 Jul 2025 09:08:19 -0700
- To: w3ctag/design-reviews <design-reviews@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Wednesday, 30 July 2025 16:08:23 UTC
toreini left a comment (w3ctag/design-reviews#1071) > Yes, indeed that is possible with the current design in the explainer. One mitigation we could apply is binding the proof to a nonce provided by the issuer at challenge time, the underlying cryptography supports this. Still, I should clarify, if you have a sink of valid tokens, then you can generate proofs and rate limiting tokens anyways, as we cannot bind the tokens to a device without seemingly violating some of our aims to allow cross-platform compatibility. > > Currently, this API is on hold, but if we pursue it I will be sure to address the concerns you raised about replay attacks and the inaccurate diagram. -- Reply to this email directly or view it on GitHub: https://github.com/w3ctag/design-reviews/issues/1071#issuecomment-3136965292 You are receiving this because you are subscribed to this thread. Message ID: <w3ctag/design-reviews/issues/1071/3136965292@github.com>
Received on Wednesday, 30 July 2025 16:08:23 UTC