On Wed, Aug 11, 2021 at 06:42:47AM +0000, Ludwig Seitz wrote: > Hello Ace, > > I'm currently dealing with some nits in draft-ietf-ace-oauth-authz that I > have discovered during the final IANA check. For one of them I need group > feedback: > > The draft defines a CBOR abbreviation for the Introspection parameter 'cti' > which is the CWT identifier defined in RFC 8392, however it turns out that > parameter was never defined as Introspection response parameter, it only > exists as CWT claim. > > Can this draft just add 'cti' to the OAuth Token Introspection Response > parameters without affecting the progress of the draft at this stage?
The relevant OAuth registry operates under the "specification required" policy. Since we don't currently talk about "cti" in Section 5.9.2 that covers the other introspection response parameters (nor elsewhere that I could find), I think this means we'd need to add a new paragraph or so of text to describe the use of this introspection response parameter (i.e., by analogoy to the existing "jti" introspection response parameter). That's enough new text that I'd want to see a specific all for comment on the WG list to confirm consensus (probably two weeks, since we're already in the RFC Editor queue and there is not much slack time later in the process). I'll also float the topic with the IESG and get a better handle on whether an IETF-wide call is needed as well (myself, I don't see a need, since the work as a whole pretty clearly envisions that this is part of it). Thanks for catching this, and sorry that it is not easier to resolve. -Ben _______________________________________________ Ace mailing list Ace@ietf.org https://www.ietf.org/mailman/listinfo/ace
