📐 Spec

Spec-11-Replay-Protection

2 min readSpec contributorDraft · v0.9.0aN

What this spec defines

Nonce, timestamp, and bounded replay-window requirements for signed federation and capability-token operations.

Extraction status

This file contains the ADR-010 prose extraction for replay protection. It intentionally keeps token shape in Spec-06-Capability-Tokens and HLC clock skew policy in Spec-12-HLC-Bounded-Skew.

Requirements

Requirement

Spec

Constraint

Nonce

MUST

Unique for the (issuer, subject, operation, window) tuple. Implementations SHOULD use at least 128 bits of randomness or equivalent collision resistance.

Timestamp

MUST

Issuance timestamp on every protected request. Receivers MUST reject requests outside the accepted replay window.

Replay window

MUST

Receivers MUST remember accepted nonces until the replay window elapses. A second request with the same nonce inside that window MUST be rejected even if the signature is valid.

The default window SHOULD be short enough to limit replay value and long enough to tolerate normal network latency and bounded clock skew.

Failure behavior

Replay failures MUST deny the operation and SHOULD emit an audit event. Error responses SHOULD not reveal whether a valid request with the same nonce was previously accepted beyond the minimum needed for debugging authorized clients.

Storage

Production deployments SHOULD use restart-resilient nonce storage.

In-memory storage MAY be used for single-node development deployments. Production deployments SHOULD use storage with process-restart resilience when the protected operation can be retried after restart.

Out of scope

This spec does not define capability-token schema, federation peer admission, or HLC bounded-skew rejection thresholds.