Establish a mechanism that allows for other revocation means in the Referenced Token #90
Conversation
|
Should we consider registering an IANA registry? As RFC7800 did here: https://www.rfc-editor.org/rfc/rfc7800.html#section-6.2 |
draft-ietf-oauth-status-list.md
Outdated
| @@ -167,9 +169,13 @@ The following rules apply to validating the "status" (status) claim | |||
|
|
|||
| 1. The claim value MUST be a valid JSON object. | |||
|
|
|||
| 2. The claim value object MUST contain an "idx" (index) member with a numeric value that represents the index to check for status information in the Status List for the current JWT. The value of this member MUST be a non-negative number, containing a value of zero or greater. | |||
| 2. The claim value object MUST contain a member called "status_list" that signals that status checks for this token can be done using the status list mechanism defined in this document. For the "status_list" object, the following rules apply: | |||
There was a problem hiding this comment.
If we make this a MUST then won't other future mechanisms only be additional rather than alternatives?
There was a problem hiding this comment.
this is only a MUST for the mechanism used in the specification. If Giuseppe wants to implement an OCSP-like mechanism than it would look mlike:
"status" : {
"new-mechanism-name" : {
"whatever-parameter" : "whatever-value"
}
} There was a problem hiding this comment.
Yeah, that was the intention. For this spec, the existence of status_list is a MUST, but other status mechanisms can reuse the status claim and define other behaviour depending on other claims within status.
There was a problem hiding this comment.
I think we may need some text to the introduction that explains this in more detail. However its more better to merge #89 first and then start working from there
|
This changed quite a bit with the recent bigger PR (and had some merge conflicts) -> please check again :/ @paulbastian @tplooker |
|
I'll add a small section as an introduction / to explain the |
| * `uri`: REQUIRED. The `uri` (URI) claim MUST specify a String value that identifies the Status List or Status List Token containing the status information for the Referenced Token. The value of `uri` MUST be a URI conforming to {{RFC3986}}. | ||
| * `status`: REQUIRED. The `status` (status) claim MUST specify a JSON Object that contains a reference to a status mechanism. | ||
| * `status_list`: REQUIRED when the status list mechanism defined in this specification is used. It contains a reference to a Status List or Status List Token. The object contains exactly two claims: | ||
| * `idx`: REQUIRED. The `idx` (index) claim MUST specify an Integer that represents the index to check for status information in the Status List for the current Referenced Token. The value of `idx` MUST be a non-negative number, containing a value of zero or greater. |
There was a problem hiding this comment.
Maybe swap the order of Uri and idx?
There was a problem hiding this comment.
Current ordering is alphabetical which matches the examples and what afaik most json libraries will generate - that was my main intention for this ordering
c2bo
force-pushed
the
c2bo/status-reference
branch
from
ad14f1f to
21dc0f1
Compare
|
I think the text in the introduction is a little weird. I checked what 7800 wrote:
I think the text may be more subtle along this lines. I would omit "we expect more in the future" which doesn't age well in a standard and be more neutral, just saying that we establish a registry for other mechanisms? |
Sounds reasonable - i will propose a change |
|
I changed the text and realized that the IANA text in general needs some work, could you please re-review the current state? I am not super happy with this version but imho let's go with something like this for the time being and revisit a bit later (and fix all of the IANA related things). |
draft-ietf-oauth-status-list.md
Outdated
| @@ -223,16 +227,21 @@ TBD | |||
|
|
|||
| # Referenced Token {#referenced-token} | |||
|
|
|||
| ## Status Claim {#status-claim} | |||
|
|
|||
| By including a "status" claim in a JWT, the issuer of the JWT declares that the credential is referencing a mechanism to retrieve status information about this credential. The claim contains members used to reference to a status list as defined in this specification. Other members of the "status" object may be defined because status list means to check the status of a credential. This is analogous to "cnf" claim in Section 3.1 of {{RFC7800}} in which different authenticity confirmation methods can be included. | |||
There was a problem hiding this comment.
it seems this is in the wrong chapter?
Co-authored-by: Paul Bastian <[email protected]>
Co-authored-by: Paul Bastian <[email protected]>
Establish a mechanism that allows for other revocation means in the Referenced Token as discussed in #85. The only thing i changed was to call the reference "status_list" but I am open to change it to "status_bitstring" if we think that is a better fit.
Closes #85
Preview Link
click here for rendered preview of PR