Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Expiration not needed #1194

Closed
richanna opened this issue May 25, 2020 · 7 comments
Closed

Expiration not needed #1194

richanna opened this issue May 25, 2020 · 7 comments

Comments

@richanna
Copy link
Contributor

In many cases, putting the expiration of the signature into the hands of the signer opens up more options for failures than necessary. Instead of the expires, any verifier can use the created field and an internal lifetime or offset to calculate expiration. We should consider dropping the expires field.

@ioggstream
Copy link
Contributor

The private key's owner must to be able to constraint the time validity of the signature because he has no ability to control on the internal lifetime of the verifier.

Dropping expires is dangerous.

@ioggstream
Copy link
Contributor

Can we close this? :)

@OR13
Copy link

OR13 commented Oct 31, 2020

+1 to closing.

@JCapriotti
Copy link

JCapriotti commented Mar 18, 2021

How would one handle a scenario of the server requiring a short expiration? Is there a "middle-ground" of allowing a server to reject a request containing what it considers to be an invalid expires?

@jricher
Copy link
Contributor

jricher commented Mar 22, 2021

@JCapriotti that's exactly the motivation behind potentially dropping expires: the server can always decide to reject something that hasn't "expired" from the client's perspective just because it has a tighter set of requirements. expires is ultimately just a hint from the client to put an upper bound on the trustworthiness of a signature. I personally think we can do a better job of capturing that reality in the text, and put the right expectations around the different parameters.

@JCapriotti
Copy link

@jricher thanks for that perspective; basically, expires meaningless in my scenario since it is really the server that cares about the age of the signature.

@jricher
Copy link
Contributor

jricher commented Apr 21, 2021

Expiration is now marked as a non-required parameter that is from the perspective of the signer, and a verifier can do what it wants with this information.

@jricher jricher closed this as completed Apr 21, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Development

No branches or pull requests

6 participants