> As I recall, the argument was that without this, someone could just keep > fishing at the > token revocation endpoint for valid tokens. Though thinking about it now, > even if you > did get a "token was valid" response, the token wouldn't be valid anymore and > it wouldn't > do you much good.
Right, exactly. > It's possible that "invalidation" is a better term for this, but is there an > established semantic > precedent for this distinction? In English, yes (I don't know about in Computer): If I walk down to the motor vehicle office, hand them my driver's license, and say, "Here, take this and destroy it, please. I don't need it any more," then I will no longer have a valid driver's license... but *no one* would say that my license had been "revoked". If I'm caught driving drunk one too many times, and a judge says, "Take the bus from now on," and orders my driver's license revoked, that's a real English-language "revocation". Note the connotation that it's imposed on me by another party, not done at my request. This isn't a huge point, which is why I didn't mark it as a DISCUSS point, and I won't block the document if it's not changed. But I think it *should* be changed, and might cause confusion if it's not, especially if we ever do set up a true revocation protocol. Barry _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
