The term Issuer SHOULD NOT be used to refer to an entity acting "for all three roles"

[Denisthemalice]

On page 3, the text states:

If not further specified, the term Issuer may refer to an entity acting for all three roles.

This sentence should be removed.

The role of the Issuer and of the Status Issuer should be kept separate in the whole document.
A Status Issuer does not have access to the data that has been provided when the user was enrolled by the Issuer.

As a consequence, the following sentence should be reconsidered:

If the roles of the Issuer and the Status Provider are performed by
two different entities, this may give additional privacy assurances
as the Issuer has no means to identify the Relying Party or its
request.

These "additional privacy assurances" exist as soon as the role of the Issuer and of the Status Issuer are kept separate.

[paulbastian]

Could you elaborate at which parts of the draft it does not fit in your opinion?

[Denisthemalice]

See the issue #227 "Which keys should be used to sign and verify Status List Tokens ?" which contains more details.

If the same key is used to sign the Referenced Token and the Token Status List, then the term Issuer may refer to an entity acting for all three roles.

If the Issuer and the Status Issuer use different keys, then the role of the entity signing Referenced Tokens should not be confused with the role of the entity signing Token Status Lists.

[paulbastian]

And are there particular sections in the draft where you think the usage of the term "Issuer" is not correct?

[paulbastian]

Editors Call:

• pending close unless specific line references to the draft are given on this issue

[paulbastian]

The issues from #227 are being resolved in #248

[Denisthemalice]

The sentence which is incorrect is:

If not further specified, the term Issuer may refer to an entity acting for all three roles.

This sentence should be removed

Section 3 (Terminology) states:

Issuer: An entity that issues the Referenced Token.

Status Issuer: An entity that issues the Status List Token about the status information of the Referenced Token. This role may be fulfilled by the Issuer.

Status Provider: An entity that provides the Status List Token on a public endpoint. This role may be fulfilled by the "Status Issuer".

I am still not convinced that the role of a "Status Provider" needs to be considered as separate from the role of the Status Issuer.

In RFC 5280, the role of the "CRL issuer" is recognized, but the role for a "CRL Provider" does not exist.
As CRLs and Status List Tokens are similar, I don't see for which reason we should introduce the role of a "Status Provider".

A Status Provider should also use a single "distribution point". I noticed that only one "distribution point" is being used,
but it would not hurt to use the plural: a CRL issuer can use several "distribution points". Why should it be otherwise for a Status Issuer ?

IMO, the definition of a "Status Provider" should be removed.

The definition of a Status Issuer should be replaced by:

Status Issuer: An entity that issues Status List Tokens about status information of Referenced Tokens using distribution points.
This role may be fulfilled by the Issuer.

The first definition would be better when using the plural:

Issuer: An entity that issues Referenced Tokens.

In section 6.2, the text states:

6.2. Referenced Token in JOSE

(...)

The following content applies to the JWT Claims Set:

     (...)

     o  uri: REQUIRED.  The uri (URI) claim MUST specify a String
        value that identifies the Status List Token containing the
        status information for the Referenced Token.  The value of
        uri MUST be a URI conforming to [RFC3986].

Change into:

     o  uris: REQUIRED.  JSON array of strings that contains URIs 
        that identify one or more Status List Tokens containing the status 
        information for the Referenced Token.  The value of each uri 
        MUST be a URI conforming to [RFC3986].

Perform the same type of change for section 6.3(Referenced Token in COSE)