Barry Dorrans

"httpClient.allowUntrustedCerts" where it's global is horrifying, and too wide ranging. What on earth are you doing in azure cloud shell that everything ends up untrusted? A list of host names...

Oh and that exemption will need renewing annually :)

We don't publish curl. An option is an easy argument to make. Defaulting it to be on is not. An option that is global and persists is not.

Nope, we'd need to figure out what the sdl requirement is, email hunter saying you're adding an option to turn off that validation and ask for an exception, then save...

A big fat warning banner when the option is used would be good.

I have no idea without trying it. The goal of the compat layer was only to concentrate on auth cookies with serialized claims, and not for cookies which point elsewhere.

Hmm strange. @Tratcher @HaoK did the chunking format change in cookies?

There is a redis provider, it popped up in 1.1; https://github.com/aspnet/DataProtection/tree/dev/src/Microsoft.AspNetCore.DataProtection.Redis

Ah, that might be right. The cookie is supposed to be self contained. I don't think we ever looked at using redis on both sides to store the identity, and...

The cookie sharing I'm referring to is for logins/authentication, in it's basic form, where the cookie has all the user information, nothing more. Not sessions, not reference cookies where the...