Merge branch 'main' into tl/tll

c2bo · c2bo · commit dd703ccce2d6 · 2024-02-27T11:15:16.000+01:00
diff --git a/draft-ietf-oauth-status-list.md b/draft-ietf-oauth-status-list.md
@@ -24,16 +24,31 @@ author:
     email: chris.bormann@gmx.de
 
 normative:
-  RFC7519: RFC7519
-  RFC8392: RFC8392
-  RFC3986: RFC3986
   RFC1950: RFC1950
   RFC1951: RFC1951
-  RFC7515: RFC7515
+  RFC2046: RFC2046
+  RFC3986: RFC3986
   RFC6125: RFC6125
+  RFC6838: RFC6838
+  RFC7515: RFC7515
+  RFC7519: RFC7519
+  RFC8152: RFC8152
+  RFC8259: RFC8259
+  RFC8392: RFC8392
+  RFC8949: RFC8949
   RFC9110: RFC9110
   RFC9111: RFC9111
-  IANA.JWT: IANA.JWT
+  SDJWTVC: I-D.ietf-oauth-sd-jwt-vc
+  IANA.JWT:
+    author:
+      org: "IANA"
+    title: "Media Types"
+    target: "https://www.iana.org/assignments/media-types/media-types.xhtml"
+  IANA.MediaTypes:
+    author:
+      org: "IANA"
+    title: "JSON Web Token Claims"
+    target: "https://www.iana.org/assignments/jwt/jwt.xhtml"
 informative:
   RFC6749: RFC6749
   RFC7662: RFC7662
@@ -54,7 +69,7 @@ This document defines a Status List and its representations in JSON and CBOR for
 
 An example for the usage of a Status List is to manage the status of issued access tokens as defined in section 1.4 of {{RFC6749}}. Token Introspection {{RFC7662}} defines another way to determine the status of an issued access token, but it requires the party trying to validate an access tokens status to directly contact the token issuer, whereas the mechanism defined in this specification does not have this limitation.
 
-Another possible use case for the Status List is to express the status of verifiable credentials (Referenced Tokens) issued by an issuer in the Issuer-Holder-Verifier model.
+Another possible use case for the Status List is to express the status of verifiable credentials (Referenced Tokens) issued by an Issuer in the Issuer-Holder-Verifier model {{SDJWTVC}}.
 The following diagram depicts the basic conceptual relationship.
 
 ~~~ ascii-art
@@ -117,7 +132,7 @@ Status List Token:
 : A token in JWT or CWT representation that contains a cryptographically secured Status List.
 
 Referenced Token:
-: A token in JWT or CWT representation which contains a reference to a Status List or Status List Token. The information from the contained Status List may give a Relying Party additional information about up-to-date status of the Referenced Token.
+: A cryptographically secured data structure which contains a reference to a Status List or Status List Token. It is RECOMMENDED to use JSON {{RFC8259}} or CBOR {{RFC8949}} for representation of the token and secure it using JSON Object Signing as defined in {{RFC7515}} or CBOR Object Signing and Encryption as defined in {{RFC8152}}. The information from the contained Status List may give a Relying Party additional information about up-to-date status of the Referenced Token.
 
 # Status List {#status-list}
 
@@ -200,7 +215,7 @@ The following content applies to the JWT Header:
 
 The following content applies to the JWT Claims Set:
 
-* `iss`: REQUIRED. The `iss` (issuer) claim MUST specify a unique string identifier for the entity that issued the Status List Token. In the absence of an application profile specifying otherwise, compliant applications MUST compare issuer values using the Simple String Comparison method defined in Section 6.2.1 of {{RFC3986}}. The value MUST be equal to that of the `iss` claim contained within the Referenced Token.
+* `iss`: REQUIRED when also present in the Referenced Token. The `iss` (issuer) claim MUST specify a unique string identifier for the entity that issued the Status List Token. In the absence of an application profile specifying otherwise, compliant applications MUST compare issuer values using the Simple String Comparison method defined in Section 6.2.1 of {{RFC3986}}. The value MUST be equal to that of the `iss` claim contained within the Referenced Token.
 * `sub`: REQUIRED. The `sub` (subject) claim MUST specify a unique string identifier for the Status List Token. The value MUST be equal to that of the `uri` claim contained in the `status_list` claim of the Referenced Token.
 * `iat`: REQUIRED. The `iat` (issued at) claim MUST specify the time at which the Status List Token was issued.
 * `exp`: OPTIONAL. The `exp` (expiration time) claim, if present, MUST specify the time at which the Status List Token is considered expired by its issuer.
@@ -231,15 +246,15 @@ TBD
 
 ## Status Claim {#status-claim}
 
-By including a "status" claim in a Referenced Token, the issuer is referencing a mechanism to retrieve status information about this Referenced Token. The claim contains members used to reference to a status list as defined in this specification. Other members of the "status" object may be defined by other specifications. This is analogous to "cnf" claim in Section 3.1 of {{RFC7800}} in which different authenticity confirmation methods can be included.
+By including a "status" claim in a Referenced Token, the Issuer is referencing a mechanism to retrieve status information about this Referenced Token. The claim contains members used to reference to a status list as defined in this specification. Other members of the "status" object may be defined by other specifications. This is analogous to "cnf" claim in Section 3.1 of {{RFC7800}} in which different authenticity confirmation methods can be included.
 
 ## Referenced Token in JWT Format {#referenced-token-jwt}
 
 The Referenced Token MUST be encoded as a "JSON Web Token (JWT)" according to {{RFC7519}}.
 
 The following content applies to the JWT Claims Set:
 
-* `iss`: REQUIRED. The `iss` (issuer) claim MUST specify a unique string identifier for the entity that issued the Referenced Token. In the absence of an application profile specifying otherwise, compliant applications MUST compare issuer values using the Simple String Comparison method defined in Section 6.2.1 of {{RFC3986}}. The value MUST be equal to that of the `iss` claim contained within the referenced Status List Token.
+* `iss`: REQUIRED when also present in the Status List Token. The `iss` (issuer) claim MUST specify a unique string identifier for the entity that issued the Referenced Token. In the absence of an application profile specifying otherwise, compliant applications MUST compare issuer values using the Simple String Comparison method defined in Section 6.2.1 of {{RFC3986}}. The value MUST be equal to that of the `iss` claim contained within the referenced Status List Token.
 * `status`: REQUIRED. The `status` (status) claim MUST specify a JSON Object that contains at least one reference to a status mechanism.
   * `status_list`: REQUIRED when the status list mechanism defined in this specification is used. It contains a reference to a Status List or Status List Token. The object contains exactly two claims:
     * `idx`: REQUIRED. The `idx` (index) claim MUST specify an Integer that represents the index to check for status information in the Status List for the current Referenced Token. The value of `idx` MUST be a non-negative number, containing a value of zero or greater.
@@ -399,7 +414,7 @@ TODO elaborate on status list only providing the up-to date/latest status, no hi
 
 ## Issuer tracking and Herd Privacy {#privacy-issuer}
 
-The main privacy consideration for a Status List, especially in the context of the Issuer-Holder-Verifier model, is to prevent the Issuer from tracking the usage of the Referenced Token when the status is being checked. If an Issuer offers status information by referencing a specific token, this would enable him to create a profile for the issued token by correlating the date and identity of Relying Parties, that are requesting the status.
+The main privacy consideration for a Status List, especially in the context of the Issuer-Holder-Verifier model {{SDJWTVC}}, is to prevent the Issuer from tracking the usage of the Referenced Token when the status is being checked. If an Issuer offers status information by referencing a specific token, this would enable him to create a profile for the issued token by correlating the date and identity of Relying Parties, that are requesting the status.
 
 The Status List approaches these privacy implications by integrating the status information of many Referenced Tokens into the same list. Therefore, the Issuer does not learn for which Referenced Token the Relying Party is requesting the Status List. The privacy of the Holder is protected by the anonymity within the set of Referenced Tokens in the Status List, also called herd privacy. This limits the possibilities of tracking by the Issuer.
 
@@ -480,9 +495,9 @@ Specification Document(s):
 
 ## Media Type Registration
 
-This section requests registration of the following media types [@RFC2046] in
-the "Media Types" registry [@IANA.MediaTypes] in the manner described
-in [@RFC6838].
+This section requests registration of the following media types {{RFC2046}} in
+the "Media Types" registry{{IANA.MediaTypes}} in the manner described
+in {{RFC6838}}.
 
 To indicate that the content is an JSON-based Status List:
 
@@ -491,10 +506,10 @@ To indicate that the content is an JSON-based Status List:
   * Required parameters: n/a
   * Optional parameters: n/a
   * Encoding considerations: binary; A JSON-based Status List is a JSON Object.
-  * Security considerations: See (#Security) of [[ this specification ]]
+  * Security considerations: See (#Security) of \[ this specification \]
   * Interoperability considerations: n/a
-  * Published specification: [[ this specification ]]
-  * Applications that use this media type: Applications using [[ this specification ]] for updated status information of tokens
+  * Published specification: \[ this specification \]
+  * Applications that use this media type: Applications using \[ this specification \] for updated status information of tokens
   * Fragment identifier considerations: n/a
   * Additional information:
     * File extension(s): n/a
@@ -513,10 +528,10 @@ To indicate that the content is an JWT-based Status List:
   * Required parameters: n/a
   * Optional parameters: n/a
   * Encoding considerations: binary; A JWT-based Status List is a JWT; JWT values are encoded as a series of base64url-encoded values (some of which may be the empty string) separated by period ('.') characters.
-  * Security considerations: See (#Security) of [[ this specification ]]
+  * Security considerations: See (#Security) of \[ this specification \]
   * Interoperability considerations: n/a
-  * Published specification: [[ this specification ]]
-  * Applications that use this media type: Applications using [[ this specification ]] for updated status information of tokens
+  * Published specification: \[ this specification \]
+  * Applications that use this media type: Applications using \[ this specification \] for updated status information of tokens
   * Fragment identifier considerations: n/a
   * Additional information:
     * File extension(s): n/a
@@ -535,10 +550,10 @@ To indicate that the content is an CBOR-based Status List:
   * Required parameters: n/a
   * Optional parameters: n/a
   * Encoding considerations: binary; A CBOR-based Status List is a CBOR Object.
-  * Security considerations: See (#Security) of [[ this specification ]]
+  * Security considerations: See (#Security) of \[ this specification \]
   * Interoperability considerations: n/a
-  * Published specification: [[ this specification ]]
-  * Applications that use this media type: Applications using [[ this specification ]] for updated status information of tokens
+  * Published specification: \[ this specification \]
+  * Applications that use this media type: Applications using \[ this specification \] for updated status information of tokens
   * Fragment identifier considerations: n/a
   * Additional information:
     * File extension(s): n/a
@@ -557,10 +572,10 @@ To indicate that the content is an CWT-based Status List:
   * Required parameters: n/a
   * Optional parameters: n/a
   * Encoding considerations: binary;
-  * Security considerations: See (#Security) of [[ this specification ]]
+  * Security considerations: See (#Security) of \[ this specification \]
   * Interoperability considerations: n/a
-  * Published specification: [[ this specification ]]
-  * Applications that use this media type: Applications using [[ this specification ]] for updated status information of tokens
+  * Published specification: \[ this specification \]
+  * Applications that use this media type: Applications using \[ this specification \] for updated status information of tokens
   * Fragment identifier considerations: n/a
   * Additional information:
     * File extension(s): n/a
@@ -613,7 +628,9 @@ for their valuable contributions, discussions and feedback to this specification
 -02
 
 * add ttl claim to Status List Token to convey caching
+* relax requirements on referenced token
 * clarify Deflate / zlib compression
+* make a reference to the Issuer-Holder-Verifier model of SD-JWT VC
 
 -01
 
