IETF Logo Mail Archive

[OAUTH-WG] Comments on two closed issues on github about draft-ietf-oauth-status-list

Denis <denis.ietf@free.fr> Thu, 06 February 2025 15:15 UTC

Return-Path: <denis.ietf@free.fr>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1E037C28FE91 for <oauth@ietfa.amsl.com>; Thu, 6 Feb 2025 07:15:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.903
X-Spam-Level:
X-Spam-Status: No, score=-1.903 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bOgpoThDttYV for <oauth@ietfa.amsl.com>; Thu, 6 Feb 2025 07:15:57 -0800 (PST)
Received: from smtp2-g21.free.fr (smtp2-g21.free.fr [212.27.42.2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C54B3C16943C for <oauth@ietf.org>; Thu, 6 Feb 2025 07:15:36 -0800 (PST)
Received: from [192.168.1.11] (unknown [86.245.202.63]) (Authenticated sender: pinkas@free.fr) by smtp2-g21.free.fr (Postfix) with ESMTPSA id CC8E82003D0 for <oauth@ietf.org>; Thu, 6 Feb 2025 16:15:34 +0100 (CET)
Content-Type: multipart/alternative; boundary="------------TKawGWasfzn7P8B5H05NRus2"
Message-ID: <73d6f925-818e-4cb9-bc6e-9bb729ed3bec@free.fr>
Date: Thu, 06 Feb 2025 16:15:35 +0100
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Content-Language: en-GB
To: oauth <oauth@ietf.org>
From: Denis <denis.ietf@free.fr>
Message-ID-Hash: ABZZLFEKAKGGUXHWVGWJTL56MVGRXJ4Z
X-Message-ID-Hash: ABZZLFEKAKGGUXHWVGWJTL56MVGRXJ4Z
X-MailFrom: denis.ietf@free.fr
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [OAUTH-WG] Comments on two closed issues on github about draft-ietf-oauth-status-list
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/Y4sFBDma4gp2iIksjha_j8nWlZ8>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>

As a box for comments was still available, I answered to two closed 
issues. So I wonder if they have been seen.
The comments on these two closed issues are:

a) *The term Issuer SHOULD NOT be used to refer to an entity acting "for 
all three roles #220*

    I am still not convinced that the role of a "Status Provider" needs
    to be considered as separate from the role of the "Status Issuer".

    In RFC 5280, the role of the "CRL issuer" is recognized, but the
    role for a "CRL Provider" does not exist.

    As CRLs and Status List Tokens are similar, I don't see for which
    reason we should introduce the role of a "Status Provider".

    I noticed that only one "distribution point" (uri) is being used,
    but a "CRL issuer" can use several "distribution points".
    Why should it be different for a "Status Issuer" ?

    See detailed comments at :
    https://github.com/oauth-wg/draft-ietf-oauth-status-list/issues/220

*b) **Adds an EKU based X.509 certificate extension #246*

    Instead of using the Key Usage extension (Section 4.2.1. from RFC
    5280) as initially proposed, it has been noticed that the current
    proposal
    is to use the Extended Key Usage Extension (Section 4.2.1.12 from
    RFC 5280).

    See detailed comments at:
    https://github.com/oauth-wg/draft-ietf-oauth-status-list/pull/246

Denis

v2.30.2 | Report a Bug | By Email | System Status