New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Expiration not needed #1194
Comments
The private key's owner must to be able to constraint the time validity of the signature because he has no ability to control on the internal lifetime of the verifier. Dropping |
Can we close this? :) |
+1 to closing. |
How would one handle a scenario of the server requiring a short expiration? Is there a "middle-ground" of allowing a server to reject a request containing what it considers to be an invalid |
@JCapriotti that's exactly the motivation behind potentially dropping |
@jricher thanks for that perspective; basically, |
Expiration is now marked as a non-required parameter that is from the perspective of the signer, and a verifier can do what it wants with this information. |
In many cases, putting the expiration of the signature into the hands of the signer opens up more options for failures than necessary. Instead of the
expires
, any verifier can use thecreated
field and an internal lifetime or offset to calculate expiration. We should consider dropping theexpires
field.The text was updated successfully, but these errors were encountered: