> On Sep 24, 2024, at 8:22 AM, Watson Ladd <[email protected]> wrote: > > But is what they implement secure? > > We added lots of appendices to TLS 1.3 to help authors of under standards > understand what they had to say to get a secure result. > > Adding unactionable mitigations doesn't help anyone including the authors of > the other documents you think will define this.
TLS 1.3 is a protocol while this is a base document format. Both should be documenting things within their scope for implementers. For example, TLS 1.3 does not give guidelines on what operational and other policies one should look for in selecting trusted certificate authorities, even though a common set of trusted CAs is vital for public web infrastructure. Is there specific guidance beyond 10.3. and 11.1. that targets particular properties (such as unlinkability between two issued SD-JWTs) and not particular use cases (how a protocol which issues digital credentials should operate)? -DW _______________________________________________ OAuth mailing list -- [email protected] To unsubscribe send an email to [email protected]
