[tommiegannert]

There could be a window: the last N sequence numbers are kept in a set, where N is higher than the number of concurrent requests.

[willvarfar]

Doesn't the server discarding requests with the timestamp beyond a threshold already do windowing but statelessly?

[tommiegannert]

I responded to this:

>> Timestamps can be vulnerable to clock attacks, right? Why not just include a monotonically increasing request number along with the nonce in each request?

> That interferes with the ability to send multiple requests in-flight at the same time.

I.e. it was assumed there was a sequence number, and I refuted that it disallows concurrent requests.

In general, I agree a signed timestamp is fine.