This issue refers to the security review requested at w3c/security-request/#55.
In Section 2.1, I would recommend providing additional information or changing the wordings regarding the usage of "Domain" and "Challenge" parameters to better highlight the scenarios in which their usage becomes mandatory. I do agree that not all use cases demand replay protection, but it would be nice to make this explicit by providing examples or adding a note to better highlight this aspect.
This issue refers to the security review requested at w3c/security-request/#55.
In Section 2.1, I would recommend providing additional information or changing the wordings regarding the usage of "Domain" and "Challenge" parameters to better highlight the scenarios in which their usage becomes mandatory. I do agree that not all use cases demand replay protection, but it would be nice to make this explicit by providing examples or adding a note to better highlight this aspect.