From 3e03b4b67f3421c8b7604426a7217422cdd013ff Mon Sep 17 00:00:00 2001 From: Seth For Privacy Date: Fri, 9 Jun 2023 11:19:23 -0400 Subject: [PATCH] Add context for limiting `before` timestamp --- 26.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/26.md b/26.md index b8fa9028..91176991 100644 --- a/26.md +++ b/26.md @@ -52,7 +52,9 @@ For example, the following condition strings are valid: - `kind=0&kind=1&created_at>1675721813` - `kind=1&created_at>1674777689&created_at<1675721813` -For the vast majority of use-cases, it is advisable that query strings should include a `created_at` ***after*** condition reflecting the current time, to prevent the delegatee from publishing historic notes on the delegator's behalf. +For the vast majority of use-cases, it is advisable that: +1. Query strings should include a `created_at` ***after*** condition reflecting the current time, to prevent the delegatee from publishing historic notes on the delegator's behalf. +2. Query strings should include a `created_at` ***before*** condition that is not empty and is not some extremely distant time in the future. If delegations are not limited in time scope, they expose similar security risks to simply using the root key for authentication. #### Example @@ -105,4 +107,4 @@ Clients should display the delegated note as if it was published directly by the Relays should answer requests such as `["REQ", "", {"authors": ["A"]}]` by querying both the `pubkey` and delegation tags `[1]` value. -Relays SHOULD allow the delegator (8e0d3d3e) to delete the events published by the delegatee (477318cf). \ No newline at end of file +Relays SHOULD allow the delegator (8e0d3d3e) to delete the events published by the delegatee (477318cf).