- From: Martin Thomson <notifications@github.com>
- Date: Mon, 02 Jun 2025 16:55:01 -0700
- To: w3ctag/design-reviews <design-reviews@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Monday, 2 June 2025 23:55:05 UTC
@martinthomson commented on this pull request. > + +A possible alternative is to define a new `Signature` field parameter, +but that could be confused with `keyid`. + +One nice thing about this is that the server can choose the `keyid` value +that is used when it sends `Accept-Signature`, +which provides the server with certainty about how keys are identified. +That key identifier is a form of cookie also; +or an extension to the information stored for the `Signed` cookie. +That means it needs to be cleared along with the cookie if someone asks the browser to clear state. +Of course, state clearing already requires that the key pair also be cleared. + +The only thing remaining is to maybe avoid sending the public key +when the browser sends a `Signed` cookie subsequent to enrollment. +This can be as simple as remembering the last request that was made with that cookie. +If the cookie has changed, or the last request made with that cookie received a 4x. ```suggestion If the cookie has changed, or the last request made with that cookie received a 4xx ``` -- Reply to this email directly or view it on GitHub: https://github.com/w3ctag/design-reviews/pull/1094#pullrequestreview-2890218992 You are receiving this because you are subscribed to this thread. Message ID: <w3ctag/design-reviews/pull/1094/review/2890218992@github.com>
Received on Monday, 2 June 2025 23:55:05 UTC