[OAUTH-WG] Re: Comments on two closed issues on github about draft-ietf-oauth-status-list

[Paul Bastian]

Hi Denis,

towards point a)
We think it makes sense to have this separation, we also make us of it 
in the privacy consideration Section 12.6 and implementation 
consideration Section 13.5. Furthermore we think it's not required to 
have multiple endpoints (status list language `uri`) as there are 
mechanisms within DNS itself that fulfill this purpose very well today 
and it's very rarely used within CRL from our observations.

towards point b)

We were under the impression that it's possible to register OIDs from an 
IETF specification, is this correct? Does the requested OID seem reasonable?

We added one of your suggestions here: 
https://github.com/oauth-wg/draft-ietf-oauth-status-list/pull/258


Best regards,

Paul

On 06.02.25 16:15, Denis wrote:

As a box for comments was still available, I answered to two closed 
issues. So I wonder if they have been seen.
The comments on these two closed issues are:

a) *The term Issuer SHOULD NOT be used to refer to an entity acting 
"for all three roles #220*

    I am still not convinced that the role of a "Status Provider"
    needs to be considered as separate from the role of the "Status
    Issuer".

    In RFC 5280, the role of the "CRL issuer" is recognized, but the
    role for a "CRL Provider" does not exist.

    As CRLs and Status List Tokens are similar, I don't see for which
    reason we should introduce the role of a "Status Provider".

    I noticed that only one "distribution point" (uri) is being used,
    but a "CRL issuer" can use several "distribution points".
    Why should it be different for a "Status Issuer" ?

    See detailed comments at :
    https://github.com/oauth-wg/draft-ietf-oauth-status-list/issues/220

*b) **Adds an EKU based X.509 certificate extension #246*

    Instead of using the Key Usage extension (Section 4.2.1. from RFC
    5280) as initially proposed, it has been noticed that the current
    proposal
    is to use the Extended Key Usage Extension (Section 4.2.1.12 from
    RFC 5280).

    See detailed comments at:
    https://github.com/oauth-wg/draft-ietf-oauth-status-list/pull/246

Denis




_______________________________________________
OAuth mailing list --oauth@ietf.org
To unsubscribe send an email tooauth-le...@ietf.org_______________________________________________
OAuth mailing list -- oauth@ietf.org
To unsubscribe send an email to oauth-le...@ietf.org