[OAUTH-WG] Re: Status List Feature Request

Fri, 07 Feb 2025 09:44:59 -0800 

Hi Christian,
My opinion has been posted yesterday at: https://github.com/oauth-wg/draft-ietf-oauth-status-list/issues/243 

In a nutshell:

   Defining this extension in the current draft would be easier as the
   same document would be able to support "Referenced Tokens"
   encoded as JWT, CWT or DER.

   Two approaches would be possible:

     * to define an extension similar to "CRL Distribution Points" as
       defined in RFC 5280, in section 4.2.1.13
       <https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.13>.
     * to define an accessMethod OID similar to "id-ad-ocsp OBJECT
       IDENTIFIER ::= { id-ad 1 }" as defined in RFC 5280,
       in 4.2.2.1
       <https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.2.1>.
       Authority Information Access.

   If developed by the LAMPS WG, this would require a rechartering of
   LAMPS.
   If developed by the OAuth WG, recommendations from the co-chairs
   should be considered.

Denis


Hi all,


While going through the feedback and issues on github, there was one 
bigger discussion point that we would like to bring to the mailing 
list. Steffen Schwalm asked for support for X.509 Certificate 
revocation with the Status List - in that case the Status List 
describing the status of an X.509 Certificate (relevant issue 
https://github.com/oauth-wg/draft-ietf-oauth-status-list/issues/243). 
That would mean defining an extension to X.509 to embed the relevant 
information for a Status List (URI and index) and creating validation 
rules etc.



While we understand the general motivation as is discussed in more 
detail in the issue, it would be somewhat of a change of scope for the 
Status List draft. We felt it might be out of scope of the OAuth 
Working Group and rather in scope of other working groups like lamps? 
Any comments/opinions would be appreciated!


Best Regards,

Christian Bormann


_______________________________________________
OAuth mailing list --oauth@ietf.org
To unsubscribe send an email tooauth-le...@ietf.org



_______________________________________________
OAuth mailing list -- oauth@ietf.org
To unsubscribe send an email to oauth-le...@ietf.org






















					Reply via email to