What kind of creatures are subject to Phantom Rogue’s Tokens of the Departed?

This might get a little fiddly, but I was curious how people would rule on this aspect of Phantom Rogue’s level 13 feature, "Tokens of the Departed"

When a life ends in your presence, you’re able to snatch a token from the departing soul, a sliver of its life essence that takes physical form: as a reaction when a creature you can see dies within 30 feet of you, you can open your free hand and cause a Tiny trinket to appear there, a soul trinket. The DM determines the trinket’s form or has you roll on the Trinkets table in the Player’s Handbook to generate it.

Do you think that the creature necessarily needs a soul to be able to use this feature? IE, would this work on undead or constructs? Flavor text uses "soul" but RAW mechanic just says "when a creature dies" and "has soul" and "does not have soul" aren’t properties of a stat-block.

Thanks for your time.

How can I let players create and move their own tokens in roll20?

When I run D&D online, I want to delegate players to have control of their tokens.

If one of my players tells me they cast flaming sphere, I want to be able to tell them to go find an image of a flaming sphere and put it on the map as a token.

If one of my players turns into a dire wolf, I want to be able to tell them to replace their token with a dire wolf token with the of their choice.

If one of my players uses summon nature’s ally and summons a bunch of critters, I want to be able to tell them to put the critters on the map.

I believe that using the roll20 console I could do this work for the players, but I want to spend my time doing other things, for example running the next player’s turn while this player generates a moonbeam token.

When I’ve tried to use roll20, I always had to create tokens for my players and then delegate them permission to use the tokens, and I frequently got it wrong and had to redo it.

Is there a way to configure roll20 to let my players create and manipulate tokens of their own?

Is `iss` property in JWT tokens redundant?

I’m reading up on some OpenID Connect documentation trying to get my head around the protocol. I came across the issuer property that is common in the JWT tokens. How come this is required if we should always check the signature of the token against the expected endpoint?

I understand that one can validate against either a symmetric or asymmetric hash, but validation is expected either way.

Have I missed an important feature of the JWT?

Are web worker / service worker secure environments to store a password, credit card information, access tokens?

If there is a case where I wish to store sensitive data like a password, credit card information, or access tokens:

Are web workers / service workers a secure environment, where such data can not be compromised? If so, what to do to really secure it? If not so, why not exactly?

Do id tokens need to be signed assymetrically?

Access tokens that are passed to the public in an OAuth flow clearly need to be signed using asymmetric encryption (e.g. RSA) so that they cannot be altered by the client to gain access to new scopes, etc.

Id tokens on the other hand are not used to access any resources on the server. So if the client is able to alter the id token they will not be able to gain access to any extra resources. Does that mean that it would be okay to use a symmetric (HMAC) signature with a secret that is shared between the server and a specific client application (like the oauth client_secret for a given oauth client)?

Why make it difficult to disable MFA tokens?

Some websites make it easy to enrol multiple TOTP apps at the same time but make it difficult to disable these apps. For instance, the user would have to completely reset the MFA settings instead of just disabling one TOTP app, or the user would have to provide a state-issued ID to have this done by user support.

What type of threat scenario does this address? After all, an attacker who would be able to authenticate as a legitimate user would then be able to change the password and lock the legitimate user out, so what is the difference?

Anonimity of Bluetooth tokens

In the context of contact tracing, I have a privacy question.

I have read a few (and “few” is already a bad thing) articles about Bluetooth contact tracing, especially in the context of the Sars-Cov2 pandemic. There are huge privacy concerns in contact tracing.

One solution proposed by reasearchers is to use “changing” device identifiers in order to prevent authorities from tracing an individual’s location history by the usage of beacons in public places or analysis of traces from other devices. The topic is particularly hot in the European Union.

Only question here: regardless of the randomization of the device ID transmitted via Bluetooth, is it already possible to listen for Bluetooth MAC addresses to identify a single device?

Example scenario: in a world where smartphone owners are encouraged to use a legitimate government-powered app (supposed that the government is democratic), a rogue vendor with a large market rate may push a malicious Bleutooth app into their consumer’s phones (a large user base who just clicks on “accept” anything). The malicious app continuosuly scans for Bluetooth MAC identifiers to report home. The addresses are potentially georeferenced. Deanonimyzation might occur.

So far, I have always learned to keep my Bluetooth invisible while I don’t need it and possibly turned off to save battery.

A country or continent-wide contact tracing scheme might be a good excuse to keep Bluetooth on and available for scan.

Question is: what am I getting wrong?