You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: draft-ietf-oauth-status-list.md
+44Lines changed: 44 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -206,6 +206,7 @@ This section defines the structure for a JSON-encoded Status List:
206
206
* `status_list`: REQUIRED. JSON Object that contains a Status List. It MUST contain at least the following claims:
207
207
* `bits`: REQUIRED. JSON Integer specifying the number of bits per Referenced Token in the Status List (`lst`). The allowed values for `bits` are 1,2,4 and 8.
208
208
* `lst`: REQUIRED. JSON String that contains the status values for all the Referenced Tokens it conveys statuses for. The value MUST be the base64url-encoded (as defined in Section 2 of {{RFC7515}}) Status List as specified in [](#status-list).
209
+
* `aggregation_uri`: OPTIONAL. JSON String that contains a URI to retrieve the Status List Aggregation for this type of Referenced Token. See section [](#batch-fetching) for further detail.
209
210
210
211
The following example illustrates the JSON representation of the Status List:
211
212
@@ -220,6 +221,7 @@ This section defines the structure for a CBOR-encoded Status List:
220
221
* The `StatusList` structure is a map (Major Type 5) and defines the following entries:
221
222
* `bits`: REQUIRED. Unsigned int (Major Type 0) that contains the number of bits per Referenced Token in the Status List. The allowed values for `bits` are 1, 2, 4 and 8.
222
223
* `lst`: REQUIRED. Byte string (Major Type 2) that contains the Status List as specified in [](#status-list-json).
224
+
* `aggregation_uri`: OPTIONAL. Text string (Major Type 3) that contains a URI to retrieve the Status List Aggregation for this type of Referenced Token. See section [](#batch-fetching) for further detail.
223
225
224
226
The following example illustrates the CBOR representation of the Status List in Hex:
225
227
@@ -449,6 +451,47 @@ The HTTP response SHOULD use gzip Content-Encoding as defined in {{RFC9110}}.
449
451
450
452
TBD
451
453
454
+
# Status List Aggregation {#batch-fetching}
455
+
456
+
Status List Aggregation is an optional mechanism to retrieve a list of URIs to all Status List Tokens, allowing a Relying Party to fetch all relevant Status Lists for a specific type of Referenced Token or issuer. This mechanism is intended to support fetching and caching mechanisms and allow offline validation of the status of a reference token for a period of time.
457
+
458
+
There are two options for a Relying Party to retrieve the Status List Aggregation.
459
+
An issuer MAY support any of these mechanisms:
460
+
461
+
- Issuer metadata: The issuer of the Referenced Token publishes an URI which links to Status List Aggregation, e.g. in publicly available metadata of an issuance protocol
462
+
- Status List Parameter: The issuer of the Referenced Token includes an additional claim in the Status List (Token) that contains the Status List Aggregation URI.
463
+
464
+
## Issuer Metadata
465
+
466
+
The issuer MAY link to the Status List Aggregation URI in metadata that can be provided by different means like .well-known metadata as is used commonly in OAuth and OpenID, or via a VICAL extension for ISO mDoc / mDL.
467
+
468
+
The concrete specification on how this is implemented depends on the specific ecosystem and is out of scope of this specification.
469
+
470
+
## Status List Parameter
471
+
472
+
The URI to the Status List Aggregation MAY be provided as the optional parameter `aggregation_uri` in the Status List itself as explained in[](#status-list-cbor) and [](#status-list-json) respectively. A Relying Party may use this URI to retrieve an up-to-date list of relevant Status Lists.
473
+
474
+
## Status List Aggregation in JSON Format
475
+
476
+
This section defines the structure for a JSON-encoded Status List Aggregation:
477
+
478
+
* `status_lists`: REQUIRED. JSON array of strings that contains URIs linking to Status List (Tokens).
479
+
480
+
The Status List Aggregation URI provides a list of Status List URIs. This aggregation in JSON and the media type return SHOULD be `application/json`. A Relying Party can iterate through this list and fetch all Status List Tokens before encountering the specific URI in a Referenced Token.
481
+
482
+
The following is a non-normative example for media type `application/json`:
483
+
484
+
~~~ json
485
+
486
+
{
487
+
"status_lists": [
488
+
"https://example.com/statuslists/1",
489
+
"https://example.com/statuslists/2",
490
+
"https://example.com/statuslists/3"
491
+
]
492
+
}
493
+
~~~
494
+
452
495
# Further Examples
453
496
454
497
## Status List Token with 2-Bit Status Values in JWT format
@@ -801,6 +844,7 @@ for their valuable contributions, discussions and feedback to this specification
801
844
802
845
-03
803
846
847
+
* introduce the status list aggregation mechanism
804
848
* relax requirements for status_list claims to contain other parameters
805
849
* change cwt referenced token example to hex and annotated hex
806
850
* require TLS only for fetching Status List, not for Status List Token
0 commit comments