Reviewer: Peter van Dijk
Review result: Ready
I reviewed -02 earlier, which was already in great shape. My editorial nits
were addressed (by merging my github PR), and the proposed note about CT was
added too.
I have no further comments or requests!
_
Jeremy,
> Section 7.5.1 of RFC 8555 states the client sends an empty JSON body POST
> request to the challenge URL to confirm it's ready for validation. This
> seems, perhaps, overly restrictive, and certainly inefficient for
> authorization types that are able to produce a valid challenge resp
Jeremy Hahn wrote:
> An attestation authorization still needs to be verified with a challenge,
> so setting it to valid in the new-order request does not seem like it
would
> work. I think what's best for device attestation is the ability to send
the
> attestation / challenge re
On Mon, Nov 11, 2024 at 05:07:58PM -0500, Jeremy Hahn wrote:
> An attestation authorization still needs to be verified with a challenge,
> so setting it to valid in the new-order request does not seem like it would
> work. I think what's best for device attestation is the ability to send the
> atte
An attestation authorization still needs to be verified with a challenge,
so setting it to valid in the new-order request does not seem like it would
work. I think what's best for device attestation is the ability to send the
attestation / challenge response at the same time the challenge is
accept
