Merge pull request #204 from oauth-wg/c2bo/security-considerations

update security considerations

Author: tplooker

draft-ietf-oauth-status-list.md

@@ -820,6 +820,8 @@ Resulting in the byte array and compressed/base64url-encoded Status List:
 
 # Security Considerations {#Security}
 
+The Status List as defined in [](#status-list) only exists in cryptographically secured containers which allows checking the integrity and origin without relying on other aspects like transport security (e.g., the web PKI).
+
 ## Correct decoding and parsing of the encoded Status List
 
 Implementers should be particularly careful for the correct parsing and decoding of the Status List. Incorrect implementations might check the index on the wrong data or miscalculate the bit and byte index leading to an erroneous status of the Referenced Token. Beware, that bits are indexed (bit order) from least significant bit to most significant bit (also called "right to left") while bytes are indexed (byte order) in their natural incrementing byte order (usually written for display purpose from left to write). Endianness does not apply here because each status value fits within a single byte.
@@ -1240,6 +1242,7 @@ for their valuable contributions, discussions and feedback to this specification
 
 -06
 
+* explicitly mention that status list is expected to be contained in cryptographically secured containers
 * reworked and simplified introduction and abstract
 * specify http status codes and allow redirects
 * add status_list_aggregation_endpoint OAuth metadata