You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: draft-ietf-oauth-status-list.md
+40-28
Original file line number
Diff line number
Diff line change
@@ -976,34 +976,6 @@ If the Issuer of the Referenced Token is a different entity than the Status Issu
976
976
└─────────────────┘
977
977
~~~
978
978
979
-
## Status List Caching
980
-
981
-
When fetching a Status List Token, Relying Parties must carefully evaluate how long a Status List is cached for. Collectively the `iat`, `exp` and `ttl` claims when present in a Status List Token communicate how long a Status List should be cached and should be considered valid for. The following diagram illustrates the relationship between these claims and how they are designed to influence caching.
It is essential to understand the distinct purposes of the `ttl` and `exp` claims. The `ttl` claim represents a duration to be interpreted relative to the time the Status List is fetched, indicating when a new version of the Status List may be available. In contrast, the `exp` claim specifies an absolute timestamp, marking the point in time when the Status List expires and MUST NOT be relied upon any longer. Together, these claims provide guidance on when to check for updates (`ttl` claim) and when the Status List must be refreshed or replaced (`exp` claim).
1006
-
1007
979
# Privacy Considerations
1008
980
1009
981
## Observability of Issuers {#privacy-issuer}
@@ -1123,6 +1095,45 @@ If the roles of the Issuer of the Referenced Token and the Status Issuer are per
1123
1095
1124
1096
If the roles of the Status Issuer and the Status Provider are performed by different entities, this may allow for greater scalability, as the Status List Tokens may be served by operators with greater resources, like CDNs. At the same time the authenticity and integrity of Token Status List is still guaranteed, as it is signed by the Status Issuer.
1125
1097
1098
+
## Status List Update Interval and Caching
1099
+
1100
+
Status Issuers have two options to communicate their update interval policy for the status of their Referenced Tokens:
1101
+
1102
+
- the `exp` claim specifies an absolute timestamp, marking the point in time when the Status List expires and MUST NOT be relied upon any longer
1103
+
- the `ttl` claim represents a duration to be interpreted relative to the time the Status List is fetched, indicating when a new version of the Status List may be available
1104
+
1105
+
Both `ttl` and `exp` are RECOMMENDED to be used by the Status Issuer.
1106
+
1107
+
When fetching a Status List Token, Relying Parties must carefully evaluate how long a Status List is cached for. Collectively the `iat`, `exp` and `ttl` claims when present in a Status List Token communicate how long a Status List should be cached and should be considered valid for. Relying Parties have different options for caching the Status List:
1108
+
1109
+
- After time of fetching, the Relying Party caches the Status List for time duration of `ttl` before making checks for updates. This method is RECOMMENDED to distribute the load for the Status Provider.
1110
+
- After initial fetching, the Relying Party checks for updates at time of `iat` + `ttl`. This method ensures the most up-to-date information for critical use cases. The Relying Party should account a minimal offset due to the signing and distribution process of the Status Issuer.
1111
+
- If no `ttl` is given, then Relying Party SHOULD check for updates latest after time of `exp`.
1112
+
1113
+
Ultimately, its the Relying Parties decision how often to check for updates, ecosystems may define there own guidelines and policies for updating the Status List information.
1114
+
1115
+
The following diagram illustrates the relationship between these claims and how they are designed to influence caching:
## Relying Parties avoiding correlatable Information
1127
1138
1128
1139
If the Relying Party does not require the Referenced Token and the Status List Token after the presentation, e.g. for subsequent status checks or audit trail, it is RECOMMENDED to delete correlatable information, in particular:
@@ -1882,6 +1893,7 @@ CBOR encoding:
1882
1893
1883
1894
-10
1884
1895
1896
+
* improve caching guidelines and move them to implementaiton considerations
1885
1897
* Add CoAP Content-Format ID and IANA registration
1886
1898
* Add size comparison for status list and compressed uuids
1887
1899
* Change Controller IESG for OAuths Parameters Registration
0 commit comments