Reusing offline activation files indefinitely?

I just noticed that this is possible:

  1. Generate an offline activation and get the activation file
  2. Activate the license in the app with the activation file
  3. Deactivate offline using the offline deactivation request code from the app
  4. It can be activated again using the same activation file used in step 1

The issue is that step 3 frees the activation slot, which can be used to activate the license on another machine.
So using this scheme, a license with a single activation slot could be activated on an unlimited number of machines.

In my opinion, generating an offline deactivation request code should prevent subsequent reactivations using the same activation file.

Am I missing something?

I am another user, but my understanding is that deactivation is meant to allow for license transfer. If you don’t want to allow multiple activations / deactivations of a license, you should configure that in the license when you create it.

When you generate an offline activation request, information about the machine to be licensed is encoded in the data you supply to Cryptlex to generate an activation response. I believe this information is used to validate the machine, so you shouldn’t be able to license more than one machine with a single offline activation response, although it may depend on the license configuration.

Additionally, a license activation file has a particular validity period that you configure when generating an offline activation request. If you set that to a reasonable value, the offline license should fail to activate after that period has elapsed. This means that a user can probably activate on a machine, then deactivate, and then activate again, but only until that validity period has elapsed.

Yes, @chutchinson summed it up well. I will add a few more points:

1- You can set allowed deactivations to 0, to prevent a deactivation in case of offline activation and increment its value only when the user requests the transfer of the license to another machine.

2- Offline activation response, is node-locked to the device, it cannot be used for any other device.

So using this scheme, a license with a single activation slot could be activated on an unlimited number of machines.

It can be used to activate the number of machines equal to allowed deactivations.

This issue will get fixed, in future versions of LexActivator, as we are planning to make offline responses usable only once. So once a response file is consumed, it cannot be reused on the machine.

That sounds like it should fix the issue!