I am in favor of the adoption, with reservations and observations.
My reservations and observations will be posted in another email under
the following header:
"Reservations and observations about draft JWT and CWT Status List"
The basic idea looks useful for environments where:
- the linkability of tokens between verifiers is desirable or
required, or /and
- end-users are informed that the protocol leaks information that allows
verifiers to link the tokens they receive.
Depending upon the architecture deployed by the token Issuer, the Issuer
may be in a position to act as Big Brother,
i.e. allowing it to know where and when a token it has issued has been used.
Denis
I support adoption. I have questions about the specifics which I'll
try to write up in the next week or so, but the basic idea seems
useful. (The tl;dr of my thoughts is: have we learned everything we
can do from the *many* iterations of similar mechanisms in the PKI
space?)
-- Neil
On 30 Sep 2023, at 13:52, Rifaat Shekh-Yusef
<rifaat.s.i...@gmail.com> wrote:
All,
This is an official call for adoption for the *JWT and CWT Status
List* draft:
https://datatracker.ietf.org/doc/draft-looker-oauth-jwt-cwt-status-list/
Please, reply *on the mailing list *and let us know if you are in
*favor *or*against *adopting this draft as WG document, by *Oct 13th*.
Regards,
Rifaat & Hannes
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth