Replay Protection

Every INK message MUST include:

• nonce: A unique 128-bit random value (base64url-encoded).
• timestamp: ISO 8601 UTC timestamp.

Validation Rules

Receiving agents MUST:

1. Reject messages with timestamps older than 5 minutes from the receiver’s clock.
2. Track seen nonces for a 10-minute sliding window and reject duplicates.
3. Reject messages with timestamps in the future by more than 30 seconds.

Rationale

The 5-minute window accommodates reasonable clock skew between agents while limiting the replay attack surface. The 30-second future tolerance prevents rejection of messages from slightly fast clocks.

The nonce window (10 minutes) is intentionally larger than the timestamp window (5 minutes) to ensure that a nonce is still tracked even after the timestamp becomes invalid — preventing an edge case where a message’s timestamp expires but its nonce is purged from tracking, potentially allowing re-acceptance with a fresh timestamp.