IETF Logo Mail Archive

[OAUTH-WG] Re: WGLC for Token Status List

Watson Ladd <watsonbladd@gmail.com> Thu, 02 January 2025 21:49 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C8C5FC14F704 for <oauth@ietfa.amsl.com>; Thu, 2 Jan 2025 13:49:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RAYAsUjHykI1 for <oauth@ietfa.amsl.com>; Thu, 2 Jan 2025 13:49:19 -0800 (PST)
Received: from mail-wr1-x42f.google.com (mail-wr1-x42f.google.com [IPv6:2a00:1450:4864:20::42f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6C9A1C14F5E3 for <oauth@ietf.org>; Thu, 2 Jan 2025 13:49:19 -0800 (PST)
Received: by mail-wr1-x42f.google.com with SMTP id ffacd0b85a97d-385df53e559so9213946f8f.3 for <oauth@ietf.org>; Thu, 02 Jan 2025 13:49:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1735854558; x=1736459358; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=6cccy/CCcph9esKd/OK9HXWoUFJxhr5i3I8Y9g6HaJo=; b=ahfo5BdBDTn36y++ejMf7Bepx6PyeIXvV8iyzB2NCFhyH8FOk/kvcqF5pP/aIyA2JP uq4aYdElWCT2jIosGWrsF79UV32vVJgvIuK395jCeQidlE+gJ4xJ7mybCs6LJJutSZP6 Z2q86J+6BkrVoJw64cvNwDHDyGsazJK4QhcXxfdHg9HejivCizSzDXov7KigOvYkqlDQ BmLTaKwz/dfB5CZ7ZasodxJAoyxEJC1igwVtwWbsS+55HGe0+d++q5Q7xVvGMvgGsJEH xhTxZlQwhB96eYV1RSyeWlN7DKOva0bGbD5m9ZCLmacATd7ElwuESh3t4qZMfypNlm5F JMRg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1735854558; x=1736459358; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=6cccy/CCcph9esKd/OK9HXWoUFJxhr5i3I8Y9g6HaJo=; b=LVneI/MA+Gl1mNTh8CvnYCx4sZCHpqkjITMejZUKCC42FYpKGakoC1F9a+/eDNs2Dk HBEcmRLlJS2eI19AfUeOr+Q5yxXw9coscebfWIkmZH1h/Cw1fudtbLB8JeDeqLzBx2I9 Mi1Sg9G9JkFNsdOKAnAu7NvkHqqhd3ydhWmAqIJkAVyVWtSGtQvyyubxOei0ziI9cLym nnvJ7XInqqrRa8f/3+kkogHZHQAL0Msqt14SLrpcPPOCyK+KzMeLAzk1MXdYuJE91iPE h9UCaJII7T6NFpI3S2yQNlKVDeC8Dvn5gtGDo9Lzb9VSaFNc1itVLvzdltJ9FqMgS/ac CugQ==
X-Gm-Message-State: AOJu0Yx5ssvGCaUqruvBMPU6G4gP+gG/QawJlx5rotWNGrXXUgLSKgfR /bpn3M6TpEmliNejn/Kq70vNEddeUuitwNJFgs84Jh6ZYHw0/A++rDAIGXOEBAJTfZSMEMjVF5l kzSYcdRGMECRU8iuD7qOAobEtGGnIew==
X-Gm-Gg: ASbGncuffz6/IzQXNrWh68Q8w8RzVld8TjRDnhjvYbknHMgwDVwtheRWMuBpgF4s/Dl WzqAVEbDVA+HrBN1OIS+NDtlYc4L5zekzfwFWnQbFTc8t1sMyRV8SOdIDPvMWHtCs4mz7HO4=
X-Google-Smtp-Source: AGHT+IHEBTa27Gyh1aQPyxFoCp5WRqEbtYM/fKG67tC+iwv7WgJ5tmkM9x3dCyLhSEtE72rZHmvUtFJao5OmEAcIGhE=
X-Received: by 2002:a05:6000:2ca:b0:386:3e87:2cd6 with SMTP id ffacd0b85a97d-38a223ffc3dmr32979540f8f.38.1735854557544; Thu, 02 Jan 2025 13:49:17 -0800 (PST)
MIME-Version: 1.0
References: <CADNypP_kmt2PdOJoUa+TNpYHYbfdyv+j2pteSaHsrPk4oxdqFw@mail.gmail.com>
In-Reply-To: <CADNypP_kmt2PdOJoUa+TNpYHYbfdyv+j2pteSaHsrPk4oxdqFw@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
Date: Thu, 02 Jan 2025 13:49:06 -0800
Message-ID: <CACsn0cmrJBBAZNbuikO5uOZvsvANJt2xuvirrAyXUqbR6LV73g@mail.gmail.com>
To: Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Message-ID-Hash: NRG2VOWPVAM7OKAJWL4GLBVCE5C7Y4JK
X-Message-ID-Hash: NRG2VOWPVAM7OKAJWL4GLBVCE5C7Y4JK
X-MailFrom: watsonbladd@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: oauth <oauth@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [OAUTH-WG] Re: WGLC for Token Status List
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/oCNihban16wHLjPXxi4zXY6Z1sQ>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>

Hello,

I've taken a look at the document. There are some things that confuse me.

First off section 1.3 isn't something I've seen in other IETF
documents. I do think it's a good idea.

The allocation of status types in the registry has implications, and I
don't think they are the right ones. First it implies that any
application that uses 2 bits has only one application defined status
available. Why not always make it application defined and say "here is
the default that is useful"? On that note I don't get temporary
expiry: why not reissue in those cases?

I do like the thoroughness of the security considerations section.
Perhaps a .well-known URL should be suggested to avoid a tracking
vector.

I think we should strongly recommend partitioning status lists by
expiry of issued tokens. This makes retirement much easier.

X509 CRLs weren't that bad a representation of a list of revocations,
especially when a small number were revoked. The reasons that
environment failed were more complex. I think we should put text in
encouraging short lived tokens instead.

Sincerely,
Watson
-- 
Astra mortemque praestare gradatim

v2.29.0 | Report a Bug | By Email | System Status