62726164

Thanks for opening this issue. I think that's a great idea. I'll add it to the todo list.

Hi. Thanks for the comment. The web service itself stores used signatures. Once a signature is used to login, it cannot be re-used later.

Yes, that would be true. If the current time signing scheme was used on multiple websites and the user used the same keypair for both sites then that would work....

I plan to switch to signing a nonce rather than the current time. Only the website and the user would know the nonce. A fake nonce would not be recognized...

Yes, adding the domain to the timestamp is another good idea to limit the scope. Thanks for the comment and the link.

Thanks Clark. I added a note to that section.