On Fri, 6 Jun 2025, Paul Hoffman wrote:
This is an OK start, but it would be better if the draft covered the actual security issues (on-path attackers) and dealt with time more carefully. Persistent validation doesn't need the token that is needed by the initial validation.
Why not? Let's say I have three accounts with FooCo and then cancel one of them. It needs something more than "I have some relationship with FooCo".
I don't object to documenting on-path attackers but it still seems awfully hypothetical.
The new material still doesn't explain why introducing a new mechanism (intermediaries) should be part of a Best Current Practice RFC.
I agree with that bit. Regards, John Levine, [email protected], Taughannock Networks, Trumansburg NY Please consider the environment before reading this e-mail. https://jl.ly _______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
