Closed paulengland closed 1 month ago
CLA Assistant Lite bot All contributors have signed the CLA ✍️ ✅
I have read the CLA Document and I hereby sign the CLA
I think there are three distinct suggestions being made in this PR. I'd like to separate them out and discuss separately if possible:
sig_type
being part of the signer_payload
. I'll queue up an agenda item on this. To be honest, I haven't yet understood the potential threat model here, but I am hopeful that we can discuss and resolve tomorrow. If we agree to make that change, I'll offer a new PR after tomorrow's meeting.Closed in favor of #103, which was merged today.
This is a partial/incomplete description of the security fixes identified in https://github.com/creator-assertions/identity-assertion/issues/95
These changes will need corresponding changes elsewhere in the spec, especially in the validation section, but this will be added once we have settled on the changes here.