Closed martinthomson closed 1 year ago
Are we talking ms? sec? minutes? Any advise to implementers ?
It can't be less than 2s, because the granularity of the Date
field doesn't permit detecting anything finer than 1s.
I've done what I can.
This still does not seem to address:
Clients SHOULD include a Date header field in Encapsulated Requests, unless the Oblivious Gateway Resource does not use Date for anti-replay purposes.
Maybe just cut off the “unless” part if there is no signal for this?
Paul
@paulwouters, #263 also included https://github.com/ietf-wg-ohai/oblivious-http/pull/263/commits/1529f5dc5be22fceb94b07942fcf724c95406f5e which I think should address your concern:
Clients SHOULD include a `Date` header field in Encapsulated Requests, unless
-the Oblivious Gateway Resource does not use `Date` for anti-replay purposes.
+the Client has prior knowledge that indicates that the Oblivious Gateway
+Resource does not use `Date` for anti-replay purposes.
Thanks. That commit does address the issue, mostly. I guess it moves it do an unspecified provisioning layer :P
Paul
Comment by @paulwouters
In Section 6.4
How does a client know this? Preconfiguration ?
Are we talking ms? sec? minutes? Any advise to implementers ?