On Tue, Apr 22, 2025 at 08:49:04AM +0200, Christian Bormann wrote: > Hi all, > > > > We got feedback during the working group last call that we would like to > incorporate: > > > > The Extended Key Usage is currently defined in a way that it can only be > used for issuers > > of status list tokens. There are other mechanisms that are relatively > similar to the token > > status list that would also benefit from this definition and we would like > to loosen the text > > a bit to allow other status mechanisms to re-use the same EKU. > > > > PR: > https://github.com/oauth-wg/draft-ietf-oauth-status-list/pull/284/files > > > > Is anyone not comfortable with the proposed change?
I'm not particularly comfortable with the proposal absent further information about the scope of expected usage. OIDs are supposed to be cheap, and are supposed to have well-specified semantics that do not change over time. This proposal makes the semantics more vague and open to change over time as new status mechanisms are defined. In particular, if the presence of this EKU is intended to be treated as the issuer explicitly delegating signing authority, this proposal is having the issuer sign a blank check that lets the holder of the EE certificate use whatever new status mechanisms might be developed in the future. Without some limitation on the scope of what constitutes such a status mechanism it's hard to see that an issuer would have confidence it actually wants to delegate that authority. Why can the parties responsible for these other status mechanisms not define their own EKUs? -Ben _______________________________________________ OAuth mailing list -- oauth@ietf.org To unsubscribe send an email to oauth-le...@ietf.org
