|
|
|
|
|
|
by TrueDuality
991 days ago
|
|
|
This seems very poorly thought through. Everything from abusing the nonce as a data channel (and re-using a predictable value in a field that is short for Number used Once), to rejection of transparency for an inherently public value, misunderstanding the threat models here, and putting the responsibility for revocation on to the client (one of the most complicated things to do correctly in a potentially already compromised environment...). I think this one needs to go back to the drawing board. |
|
|