Closed herpaderpaldent closed 3 years ago
This is correct, the OTP is a JSON Web Token. Terminology is probably ideal but OneTime password is more understandable than a JWT.
Follow-up question: So, the JWT can be used multiple times, correct? If this is intended, this should probably be stated more clearly. If it is not intended, additional checks like for time-based OTPs should be made.
@mlegner The OTP is valid for 12 hours. The term was coined from the user's point of view: They create the OTP and insert it once into their medical application. The medical application can then use the OTP for 12 hours to create certificates.
Do i read it correctly that if an authorized person shares its JWT or enters it f.e. in a group praxis computer anyone with access to that computer/device or jwt might issue a certificate?
There is nothing preventing multiple usages of said OTP from different devices at the same time? F.e. one authorized person gets the JWT for his colleagues in a group praxis and shares it with them?
In the presentation from the 20th of may you introduced the OTP object such as:
However in the in the presentation from the 20th of may the OTP seems to be the same as a JSON Web Token with the validity of 12hrs:
It seems that there is some kind of inconsistency regarding the term otp within the presentation and documentation. From my understanding a one time password can only be used once whilst a JWT can be used until it expires (as long as it is valid). Are you able to clearify your terminology?