You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: draft-ietf-oauth-status-list.md
+18-5Lines changed: 18 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -152,8 +152,6 @@ Revocation mechanisms are an essential part for most identity ecosystems. In the
152
152
153
153
This specification seeks to find a balance between scalability, security, and privacy by minimizing the status information to mere bits (often a single bit) and compressing the resulting binary data. Thereby, a Status List may contain statuses of many thousands or millions Referenced Tokens while remaining as small as possible. Placing large amounts of Referenced Tokens into the same list also enables herd privacy relative to the Status Provider.
154
154
155
-
This specification establishes the IANA "Status Mechanism Methods" registry for status mechanism and registers the members defined by this specification. Other specifications can register other members used for status retrieval.
156
-
157
155
## Design Considerations
158
156
159
157
The decisions taken in this specification aim to achieve the following design goals:
@@ -167,6 +165,10 @@ The decisions taken in this specification aim to achieve the following design go
167
165
* the specification shall not specify key resolution or trust frameworks
168
166
* the specification shall design an extension point to convey information about the status of a token that can be re-used by other mechanisms
169
167
168
+
## Status Mechanism Registry
169
+
170
+
This specification establishes the IANA "Status Mechanism Methods" registry for status mechanism and registers the members defined by this specification. Other specifications can register other members used for status retrieval. Other status mechanisms may have different tradeoffs regarding security, privacy, scalability adn complexity. The privacy and security considerations in this document only represent the properties of the Status List mechanism.
171
+
170
172
# Conventions and Definitions
171
173
172
174
{::boilerplate bcp14-tagged}
@@ -905,16 +907,22 @@ This behaviour could be mitigated by:
905
907
906
908
## Unlinkability
907
909
908
-
Colluding Issuers and Relying Parties have the possibility to link two transactions, as the tuple of `uri` and `index` inside the Referenced Token are unique and therefore traceable data. By comparing the status claims of received Referenced Tokens, two colluding Relying Parties could determine that they have interacted with the same user or an Issuer could trace the usage of its issued Referenced Token by colluding with various Relying Parties. It is therefore recommended to use Status Lists for Referenced Token formats that have similar unlinkability properties.
910
+
The tuple of uri and index inside the Referenced Token are unique and therefore is traceable data.
911
+
912
+
### Colluding Relying Parties
909
913
910
-
To avoid privacy risks for colluding Relying Parties, it is RECOMMENDED that Issuers use batch issuance to issue multiple tokens, see [](#implementation-lifecycle).
914
+
Two or more colluding Relying Parties may link two transactions involving the same Referenced Token by comparing the status claims of received Referenced Tokens, and therefore determine that they have interacted with the same Holder.
911
915
912
-
To avoid further correlatable information by the values of `uri` and `index`, Issuers are RECOMMENDED to:
916
+
To avoid privacy risks for colluding Relying Parties, it is RECOMMENDED that Issuers use batch issuance to issue multiple Referenced Tokens, see [](#implementation-lifecycle). To avoid further correlatable information by the values of `uri` and `index`, Status Issuers are RECOMMENDED to:
913
917
914
918
- choose non-sequential, pseudo-random or random indices
915
919
- use decoy entries to obfuscate the real number of Referenced Tokens within a Status List
916
920
- choose to deploy and utilize multiple Status Lists simultaneously
917
921
922
+
### Colluding Status Issuer and Relying Party
923
+
924
+
A Status Issuer and a Relying Party Issuer may link two transaction involving the same Referenced Tokens by comparing the status claims of the Referenced Token, and therefore determine that they have interacted with the same Holder. It is therefore recommended to use Status Lists for Referenced Token formats that have similar unlinkability properties.
925
+
918
926
## Third Party Hosting {#third-party-hosting}
919
927
920
928
If the roles of the Issuer and the Status Provider are performed by two different entities, this may give additional privacy assurances as the Issuer has no means to identify the Relying Party or its request.
@@ -1277,6 +1285,11 @@ for their valuable contributions, discussions and feedback to this specification
1277
1285
# Document History
1278
1286
{:numbered="false"}
1279
1287
1288
+
-07
1289
+
1290
+
* emphasize that security and privacy considerations only apply to Status List and no other status mechanisms
1291
+
* differentiate unlinkability between Issuer-RP and RP-RP
1292
+
1280
1293
-06
1281
1294
1282
1295
* iana registration text updated with update procedures
0 commit comments