Merge pull request #90 from vcstuff/c2bo/status-reference

paulbastian · web-flow · commit 6eaf6e59123c · 2024-02-06T08:04:43.000+01:00
Establish a mechanism that allows for other revocation means in the Referenced Token
diff --git a/draft-ietf-oauth-status-list.md b/draft-ietf-oauth-status-list.md
@@ -33,9 +33,11 @@ normative:
   RFC6125: RFC6125
   RFC9110: RFC9110
   RFC9111: RFC9111
+  IANA.JWT: IANA.JWT
 informative:
   RFC6749: RFC6749
   RFC7662: RFC7662
+  RFC7800: RFC7800
 
 --- abstract
 
@@ -81,6 +83,8 @@ Revocation mechanisms are an essential part for most identity ecosystems. In the
 
 This specification seeks to find a balance between scalability, security, and privacy by minimizing the status information to mere bits (often a single bit) and compressing the resulting binary data. Thereby, a Status List may contain statuses of many thousands or millions Referenced Tokens while remaining as small as possible. Placing large amounts of Referenced Tokens into the same list also enables herd privacy relative to the Issuer.
 
+This specification establishes the IANA "Status Mechanism Methods" registry for status mechanism and registers the members defined by this specification. Other specifications can register other members used for status retrieval.
+
 ## Design Considerations
 
 The decisions taken in this specification aim to achieve the following design goals:
@@ -92,6 +96,7 @@ The decisions taken in this specification aim to achieve the following design go
 * the Status List shall enable caching policies and offline support
 * the specification shall support JSON and CBOR based tokens
 * the specification shall not specify key resolution or trust frameworks
+* the specification shall design an extension point to convey information about the status of a token that can be re-used by other mechanisms
 
 # Conventions and Definitions
 
@@ -196,7 +201,7 @@ The following content applies to the JWT Header:
 The following content applies to the JWT Claims Set:
 
 * `iss`: REQUIRED. The `iss` (issuer) claim MUST specify a unique string identifier for the entity that issued the Status List Token. In the absence of an application profile specifying otherwise, compliant applications MUST compare issuer values using the Simple String Comparison method defined in Section 6.2.1 of {{RFC3986}}. The value MUST be equal to that of the `iss` claim contained within the Referenced Token.
-* `sub`: REQUIRED. The `sub` (subject) claim MUST specify a unique string identifier for that Status List Token. The value MUST be equal to that of the `uri` claim contained in the `status` claim of the Referenced Token.
+* `sub`: REQUIRED. The `sub` (subject) claim MUST specify a unique string identifier for that Status List Token. The value MUST be equal to that of the `uri` claim contained in the `status_list` claim of the Referenced Token.
 * `iat`: REQUIRED. The `iat` (issued at) claim MUST specify the time at which the Status List Token was issued.
 * `exp`: OPTIONAL. The `exp` (expiration time) claim MAY convey the time at which it is considered expired by its issuer.
 * `status_list`: REQUIRED. The `status_list` (status list) claim MUST specify the Status List conforming to the rules outlined in [](#status-list-json).
@@ -223,16 +228,21 @@ TBD
 
 # Referenced Token {#referenced-token}
 
+## Status Claim {#status-claim}
+
+By including a "status" claim in a Referenced Token, the issuer is referencing a mechanism to retrieve status information about this Referenced Token. The claim contains members used to reference to a status list as defined in this specification. Other members of the "status" object may be defined by other specifications. This is analogous to "cnf" claim in Section 3.1 of {{RFC7800}} in which different authenticity confirmation methods can be included.
+
 ## Referenced Token in JWT Format {#referenced-token-jwt}
 
 The Referenced Token MUST be encoded as a "JSON Web Token (JWT)" according to {{RFC7519}}.
 
 The following content applies to the JWT Claims Set:
 
 * `iss`: REQUIRED. The `iss` (issuer) claim MUST specify a unique string identifier for the entity that issued the Referenced Token. In the absence of an application profile specifying otherwise, compliant applications MUST compare issuer values using the Simple String Comparison method defined in Section 6.2.1 of {{RFC3986}}. The value MUST be equal to that of the `iss` claim contained within the referenced Status List Token.
-* `status`: REQUIRED. The `status` (status) claim MUST specify a JSON Object that contains a reference to a status of a Status List or Status List Token. The object contains exactly two claims:
-  * `idx`: REQUIRED. The `idx` (index) claim MUST specify an Integer that represents the index to check for status information in the Status List for the current Referenced Token. The value of `idx` MUST be a non-negative number, containing a value of zero or greater.
-  * `uri`: REQUIRED. The `uri` (URI) claim MUST specify a String value that identifies the Status List or Status List Token containing the status information for the Referenced Token. The value of `uri` MUST be a URI conforming to {{RFC3986}}.
+* `status`: REQUIRED. The `status` (status) claim MUST specify a JSON Object that contains at least one reference to a status mechanism.
+  * `status_list`: REQUIRED when the status list mechanism defined in this specification is used. It contains a reference to a Status List or Status List Token. The object contains exactly two claims:
+    * `idx`: REQUIRED. The `idx` (index) claim MUST specify an Integer that represents the index to check for status information in the Status List for the current Referenced Token. The value of `idx` MUST be a non-negative number, containing a value of zero or greater.
+    * `uri`: REQUIRED. The `uri` (URI) claim MUST specify a String value that identifies the Status List or Status List Token containing the status information for the Referenced Token. The value of `uri` MUST be a URI conforming to {{RFC3986}}.
 
 Application of additional restrictions and policy are at the discretion of the verifying party.
 
@@ -248,8 +258,10 @@ The following is a non-normative example for a decoded header and payload of a R
 {
   "iss": "https://example.com",
   "status": {
-    "idx": 0,
-    "uri": "https://example.com/statuslists/1"
+    "status_list": {
+      "idx": 0,
+      "uri": "https://example.com/statuslists/1"
+    }
   }
 }
 ~~~
@@ -421,19 +433,43 @@ TBD Declare whether JWT and CWT representations can be used interchangeably by t
 ## JSON Web Token Claims Registration
 
 This specification requests registration of the following Claims in the
-IANA "JSON Web Token Claims" registry [@IANA.JWT] established by [@!RFC7519].
+IANA "JSON Web Token Claims" registry {{IANA.JWT}} established by {{RFC7519}}.
+
+### Registry Contents
 
 *  Claim Name: `status`
-*  Claim Description: Reference to a status list containing up-to-date status information on the JWT.
+*  Claim Description: Reference to a status or validity mechanism containing up-to-date status information on the JWT.
 *  Change Controller: IETF
-*  Specification Document(s):  [[ (#referenced-token-jwt) of this specification ]]
+*  Specification Document(s):  [](#status-claim) of this specification
+
+## JWT Status Mechanism Methods Registry {#iana-registry}
+
+This specification establishes the IANA "Status Mechanism Methods" registry for JWT "status" member values. The registry records the status mechanism method member and a reference to the specification that defines it.
+
+### Registration Template
+
+Status Method Value:
+
+  > The name requested (e.g., "status_list"). The name is case sensitive. Names may not match other registered names in a case-insensitive manner unless the Designated Experts state that there is a compelling reason to allow an exception.
+
+Status Method Description:
+
+  > Brief description of the status mechanism method.
+
+Change Controller:
+
+  > For Standards Track RFCs, list the "IESG".  For others, give the name of the responsible party.  Other details (e.g., postal address, email address, home page URI) may also be included.
+
+Specification Document(s):
+
+  > Reference to the document or documents that specify the parameter, preferably including URIs that can be used to retrieve copies of the documents.  An indication of the relevant sections may also be included but is not required.
 
-<br/>
+### Initial Registry Contents
 
-*  Claim Name: `status_list`
-*  Claim Description: A status list containing up-to-date status information on multiple other JWTs encoded as a bitarray.
+*  Status Method Value: `status_list`
+*  Status Method Description: A status list containing up-to-date status information on multiple other JWTs encoded as a bitarray.
 *  Change Controller: IETF
-*  Specification Document(s):  [[ (#status-list-json) of this specification ]]
+*  Specification Document(s):  [](#referenced-token-jwt) of this specification
 
 ## Media Type Registration
 
@@ -555,6 +591,7 @@ for their valuable contributions, discussions and feedback to this specification
 -01
 
 * add design consideration to the introduction
+* Change status claim to in referenced token to allow re-use for other mechanisms
 * restructure the sections of this document
 * add option to return an unsigned Status List
 * Changing compression from gzip to zlib
@@ -568,7 +605,7 @@ for their valuable contributions, discussions and feedback to this specification
 * renamed Verifier to Relying Party
 * added IANA consideration
 
-[draft-ietf-oauth-status-list ]
+\[ draft-ietf-oauth-status-list \]
 
 -01
 
