oed
commented
1 year ago One weeks is a good default imo. Patch version should be enough to bump here?
Closed zachferland closed 1 year ago
oed
commented
1 year ago One weeks is a good default imo. Patch version should be enough to bump here?
stbrody
commented
1 year ago I'm really conflicted about this. 1 week seems like a really long time to let an app hold onto credentials to write data on your behalf, especially while we have no way to revoke a granted credential. But given the issues we've had with anchoring and CACAO expirations, I guess defaults with weaker security properties is better than data loss.
As long as we feel comfortable changing this default back to something lower in the future, once anchoring is more robust, then I guess this is fine for now.
CC @ukstv @3avi for visibility.
oed
commented
1 year ago Fyi @stbrody 3IDv2 will most likely include a way to revoke capabilities!
zachferland
commented
1 year ago Going to merge and release tmrrw, seems 1 week is good, will release as patch, can change behavior/expectations for app, but prefer patch so more apps pull it in, and extending should limit any issues with app logic (vs decreasing)
This PR increases the default cacao expiry when used with authmethods in did-session from 1 day to 7 days. We still have the 1 day revocation phaseout, effectively making it 8 days. Expiry is just a client default, not in the cacao library or enforced in anyways, clients may already configure their own but expect most rely on default. Default phaseout is more likely be recognized, as few would change that config value.
We can discuss the time interval we want to use here. Also how we want to version the release.