Challenge use

[BasileiosKal]

My guess is that the Client can't just send the challenge to the Issuer?? If yes, there is nothing binding a specific challenge to the BBS signature (rn the proofs are bound to the challenge). As a result, the Origin can't "force" the Client to get a "fresh" token.

Some options that come to mind:

• Use public metadata with a low-accuracy expiration or issuance date?? (like in PR #2).
• Use blind BBS signatures, where the Client "commits" to the challenge during issuance (similar to how blind RSA works).

The blind BBS signatures document is out of date rn. If it's updated, should it be used instead of the core BBS protocol??

[wbl]

Yeah this is not for the usual privacypass semantics where you want a token that gets spent. I want to keep things simple for now: this is just to illustrate to the WG how BBS would fit in. If they decide it's useful with some bells and whistles we'll put them in.