spec icon indicating copy to clipboard operation
spec copied to clipboard
verified publisher icon ucan-wg

Expiry field is required but may be set to null

Open andrewzhurov opened this issue 2 years ago • 2 comments

According to the spec, Expiry field is required but may be set to null to convey "never expires". Are there reasons to have the field set to null vs having it absent (optional)?

There are several reasons to prefer having it optional:

  1. Adheres to the JWT spec
  2. Makes for a uniform way of conveying absence, as it is for nbf & other fields.
  3. Makes for a more sound absence semantic, this great talk gives a fine mindset for it

andrewzhurov avatar Sep 07 '23 08:09 andrewzhurov

Are there reasons to have the field set to null vs having it absent (optional)?

Intention had been to have an explicit signal and catch malformed UCANs that accidentally omitted this field.

Gozala avatar Sep 26 '23 16:09 Gozala

Yeah, an expiry was required (arguably it still should be, though there are hacks around that). Ergonomically, making this field required means that people have to at least think about POLA.

expede avatar Sep 26 '23 16:09 expede