<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
</head>
<body>
openid/sharedsignals event <br>
<br>
Issue Comment created on issue 257 <br>
Issue Title: Preventing replay attacks in PUSH streams <br>
https://github.com/openid/sharedsignals/issues/257 <br>
<br>
Comment: You are right, I thought `aud` was Receiver-supplied but it's Transmitter-supplied. That plus the authorization_header should solve the problem.
</body>
</html>