Hi all, We had a session on this topic in the OAuth Security Workshop (with Brian, Filip and Mike present) and asked for feedback. Everyone that voiced their opinion was against this extension in the scope of the current draft and the OAuth Working Group, but there was the remark to make sure that this draft allows for this feature if people wish to create this extension (as Filip also stated previously here on the mailing list). Slides we used with short notes on the Feedback we got: https://docs.google.com/presentation/d/1NGYsJgwGOBDRbop9OLAbj6_0Aoo3FhAyabu-aE4ghyk/edit#slide=id.g33a15d709f8_0_331 Best Regards, Christian From: Michael Jones <michael_b_jo...@hotmail.com>
Date: Wednesday, 26. February 2025 at 18:05
To: Brian Campbell <bcampb...@pingidentity.com>, Filip Skokan <panva...@gmail.com>
Cc: Christian Bormann <chris.borm...@gmx.de>, oauth <oauth@ietf.org>
Subject: RE: [OAUTH-WG] Re: Status List Feature Request X.509 already has its own revocation infrastructure (in fact, more than one kind!). We needn’t complicate this spec to add another one for X.509. -- Mike From: Brian Campbell <bcampbell=40pingidentity....@dmarc.ietf.org>
Sent: Wednesday, February 26, 2025 4:46 PM
To: Filip Skokan <panva...@gmail.com>
Cc: Christian Bormann <chris.bormann=40gmx...@dmarc.ietf.org>; oauth <oauth@ietf.org>
Subject: [OAUTH-WG] Re: Status List Feature Request I concur with Filip's perspective. I believe it is inappropriate and wildly out of scope for an oauth document to define X.509 extensions, which IIUC is needed in order to define the Status Claim for X.509? The important thing to make sure is that the document does not preclude a future X.509 extension being drafted (wherever its appropriate place may be) that makes use of the status list, and that already appears to be the case. Hi all, While going through the feedback and issues on github, there was one bigger discussion point that we would like to bring to the mailing list. Steffen Schwalm asked for support for X.509 Certificate revocation with the Status List - in that case the Status List describing the status of an X.509 Certificate (relevant issue https://github.com/oauth-wg/draft-ietf-oauth-status-list/issues/243). That would mean defining an extension to X.509 to embed the relevant information for a Status List (URI and index) and creating validation rules etc. While we understand the general motivation as is discussed in more detail in the issue, it would be somewhat of a change of scope for the Status List draft. We felt it might be out of scope of the OAuth Working Group and rather in scope of other working groups like lamps? Any comments/opinions would be appreciated! Best Regards, Christian Bormann _______________________________________________
OAuth mailing list -- oauth@ietf.org
To unsubscribe send an email to oauth-le...@ietf.org
_______________________________________________
OAuth mailing list -- oauth@ietf.org
To unsubscribe send an email to oauth-le...@ietf.org
CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.
|
_______________________________________________
OAuth mailing list -- oauth@ietf.org
To unsubscribe send an email to oauth-le...@ietf.org
