Merge branch 'main' into comments_by_denis_3

tplooker · web-flow · commit 8e9bc4fee796 · 2025-07-07T18:12:35.000+12:00
diff --git a/draft-ietf-oauth-status-list.md b/draft-ietf-oauth-status-list.md
@@ -744,7 +744,7 @@ To obtain the Status List Token, the Relying Party MUST send an HTTP GET request
 
 The HTTP endpoint SHOULD support the use of Cross-Origin Resource Sharing (CORS) {{CORS}} and/or other methods as appropriate to enable Browser-based clients to access it, unless ecosystems using this specification choose not to support Browser-based clients.
 
-The Relying Party MUST send the following Accept-Header to indicate the requested response type:
+The Relying Party SHOULD send the following Accept HTTP Header to indicate the requested response type unless the Content-Type of Status List Tokens in the respective ecosystem is known or the Relying Party supports both formats:
 
 - "application/statuslist+jwt" for Status List Token in JWT format
 - "application/statuslist+cwt" for Status List Token in CWT format
@@ -901,16 +901,17 @@ The following is a non-normative example for media type `application/json`:
 # X.509 Certificate Extended Key Usage Extension {#eku}
 
 {{RFC5280}} specifies the Extended Key Usage (EKU) X.509 certificate extension for use on end entity certificates. The extension indicates one or more purposes for which the certified public key is valid. The EKU extension can be used in conjunction with the Key Usage (KU) extension, which indicates the set of basic cryptographic operations for which the certified key may be used. A certificate's issuer explicitly delegates Status List Token signing authority by issuing a X.509 certificate containing the KeyPurposeId defined below in the extended key usage extension.
+Other specifications MAY choose to re-use this OID for other status mechanisms under the condition that they are registered in the "JWT Status Mechanisms" or "CWT Status Mechanisms" registries.
 
 The following OID is defined for usage in the EKU extension
 
-```
-   id-kp  OBJECT IDENTIFIER  ::=
+~~~
+  id-kp  OBJECT IDENTIFIER  ::=
        { iso(1) identified-organization(3) dod(6) internet(1)
          security(5) mechanisms(5) pkix(7) 3 }
 
-   id-kp-oauthStatusListSigning             OBJECT IDENTIFIER ::= { id-kp TBD }
-```
+  id-kp-oauthStatusSigning OBJECT IDENTIFIER ::= { id-kp TBD }
+~~~
 
 # Security Considerations {#Security}
 
@@ -1900,13 +1901,15 @@ CBOR encoding:
 
 -12
 
+* Allow for extended key usage OID to be used for other status mechanisms
 * add Paul's affiliation
 * add feedback from Dan Moore
 * change JSON Status List structure to only contain JSON object
 * further nitpicks
 * clarifying status and status_list IANA descriptions for JWT/CWT
 * clarifying description texts for status and status_list in CBOR
 * splitting Linkability Mitigation from Token Lifecycle section in Implementation Consideration
+* relax the accept header from must to should
 
 -11
 
