On Sun, 8 Jun 2025, Erik Nygren wrote:
Rather than saying "I authorize this action" in a one-off validation, persistent validation is saying "I authorize this User/account"
I don't see a useful difference. Either way the entity issuing the token uses the unique token to identify whatever it is that it wants to verify.
As I said before, I do not see any reason to make any technical changes here other than an option for the token to say it does not expire. We can wave our hands about on-path attacker but since I've never seen one attacking a validation token, I'm not aware of any practice we can describe, and I do not want us to guess.
Regards, John Levine, [email protected], Taughannock Networks, Trumansburg NY Please consider the environment before reading this e-mail. https://jl.ly _______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
