mwiesen
commented
4 years ago Notes from first run through management extension:
-
Shouldn't the profile registration return the exact URI under which the profile can now be reached? Like
http://profiles.xaldon.com/mwiesen. This could also be used in the device registration step forprofile_uri.- Done. Covered by service provider ext
-
It would be nice to know a bit more about potential
device_idconstraints, e.g. what's the recommended / maximum length? Are there any forbidden characters?- TODO: More detailed definition required. Needs to be unique amongst different devices.
-
Does the server check
device_iduniqueness? Does the user have to ensure that? What happens if two devices use the samedevice_id?- User mustn't provide the same device id for two different
- Yes, server is supposed to check uniqueness
-
Does it make sense to add a method to the cryptotools that generates a suitable random
device_id?- Use key id of symmetrical key generator
-
It would be nice to know what the timestamp is used for, e.g. so the server can "expire" device tokens after a certain period of time. But I wasn't sure if e.g. the device registration wouldn't work anymore after a timeout of, IDK 10 minutes or something.
- Prevents session replay attacks
- TODO: Add recommendation for the server to only accept timestamps around 5 mins
Here are my thoughts when I went through:
Does it make sense to support multiple email addresses per profile?
Does it make sense to have an additional coloumn in some tables called “part of signature” or similar with boolean values?
Some objects allow free text fields. Do they support emojis in case the client is able to render it? Does JSON support line breaks within a "value"?
Should the video type
previewfield need to support animated Gifs? Or size limited MP4s?The JSON member names of the profile root object are lower camel case. Should
seqtsandcreatetsalso be lower camel case, e.g.sequenceTimestamporcreateTs?In chapter 11 it says for the
seqtstimestamp: