From d1f97e88c15b6b372052a15e6581bc7fbd1e04d3 Mon Sep 17 00:00:00 2001 From: Christian Bormann Date: Thu, 10 Apr 2025 10:27:08 -0700 Subject: [PATCH 1/6] fix rendering for oid --- draft-ietf-oauth-status-list.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/draft-ietf-oauth-status-list.md b/draft-ietf-oauth-status-list.md index 5d5a503..9b73b3b 100644 --- a/draft-ietf-oauth-status-list.md +++ b/draft-ietf-oauth-status-list.md @@ -907,13 +907,13 @@ The following is a non-normative example for media type `application/json`: The following OID is defined for usage in the EKU extension -``` +~~~ id-kp OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) 3 } id-kp-oauthStatusListSigning OBJECT IDENTIFIER ::= { id-kp TBD } -``` +~~~ # Security Considerations {#Security} From 4678ce97f8307a975c77dc56adad6f16a33dadc8 Mon Sep 17 00:00:00 2001 From: Christian Bormann Date: Thu, 10 Apr 2025 10:32:37 -0700 Subject: [PATCH 2/6] fix line width --- draft-ietf-oauth-status-list.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/draft-ietf-oauth-status-list.md b/draft-ietf-oauth-status-list.md index 9b73b3b..eb74258 100644 --- a/draft-ietf-oauth-status-list.md +++ b/draft-ietf-oauth-status-list.md @@ -912,7 +912,7 @@ The following OID is defined for usage in the EKU extension { iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) 3 } - id-kp-oauthStatusListSigning OBJECT IDENTIFIER ::= { id-kp TBD } + id-kp-oauthStatusListSigning OBJECT IDENTIFIER ::= { id-kp TBD } ~~~ # Security Considerations {#Security} From f13540dc178e85eaae9109145bc87924d59140df Mon Sep 17 00:00:00 2001 From: Christian Bormann Date: Thu, 10 Apr 2025 11:04:13 -0700 Subject: [PATCH 3/6] allow other status mechanisms to use the same OID --- draft-ietf-oauth-status-list.md | 1 + 1 file changed, 1 insertion(+) diff --git a/draft-ietf-oauth-status-list.md b/draft-ietf-oauth-status-list.md index eb74258..c518d24 100644 --- a/draft-ietf-oauth-status-list.md +++ b/draft-ietf-oauth-status-list.md @@ -904,6 +904,7 @@ The following is a non-normative example for media type `application/json`: ## Extended Key Usage Extension {#eku} {{RFC5280}} specifies the Extended Key Usage (EKU) X.509 certificate extension for use on end entity certificates. The extension indicates one or more purposes for which the certified public key is valid. The EKU extension can be used in conjunction with the Key Usage (KU) extension, which indicates the set of basic cryptographic operations for which the certified key may be used. A certificate's issuer explicitly delegates Status List Token signing authority by issuing a X.509 certificate containing the KeyPurposeId defined below in the extended key usage extension. +Other specifications MAY choose to re-use this OID for other status mechanisms. The following OID is defined for usage in the EKU extension From 1f6df4fae1fc7a82ee52940717ec02e5d41eeb22 Mon Sep 17 00:00:00 2001 From: Christian Bormann Date: Thu, 10 Apr 2025 11:05:21 -0700 Subject: [PATCH 4/6] document history --- draft-ietf-oauth-status-list.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/draft-ietf-oauth-status-list.md b/draft-ietf-oauth-status-list.md index c518d24..9602964 100644 --- a/draft-ietf-oauth-status-list.md +++ b/draft-ietf-oauth-status-list.md @@ -1892,6 +1892,10 @@ CBOR encoding: # Document History {:numbered="false"} +-11 + +* Allow for extended key usage OID to be used for other status mechanisms + -10 * improve caching guidelines and move them to implementaiton considerations From 612524833bf10c23a00050bd033388153f2357f8 Mon Sep 17 00:00:00 2001 From: Christian Bormann Date: Thu, 10 Apr 2025 11:07:59 -0700 Subject: [PATCH 5/6] rename oid --- draft-ietf-oauth-status-list.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/draft-ietf-oauth-status-list.md b/draft-ietf-oauth-status-list.md index 9602964..26c53cc 100644 --- a/draft-ietf-oauth-status-list.md +++ b/draft-ietf-oauth-status-list.md @@ -909,11 +909,11 @@ Other specifications MAY choose to re-use this OID for other status mechanisms. The following OID is defined for usage in the EKU extension ~~~ - id-kp OBJECT IDENTIFIER ::= + id-kp OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) 3 } - id-kp-oauthStatusListSigning OBJECT IDENTIFIER ::= { id-kp TBD } + id-kp-oauthStatusSigning OBJECT IDENTIFIER ::= { id-kp TBD } ~~~ # Security Considerations {#Security} From ecae1776a207bcb84fd8847a0b5f4c22b9aaffd6 Mon Sep 17 00:00:00 2001 From: Paul Bastian Date: Tue, 27 May 2025 17:08:37 +0200 Subject: [PATCH 6/6] Update draft-ietf-oauth-status-list.md Co-authored-by: Christian Bormann <8774236+c2bo@users.noreply.github.com> --- draft-ietf-oauth-status-list.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/draft-ietf-oauth-status-list.md b/draft-ietf-oauth-status-list.md index 0087c36..912a062 100644 --- a/draft-ietf-oauth-status-list.md +++ b/draft-ietf-oauth-status-list.md @@ -902,7 +902,7 @@ The following is a non-normative example for media type `application/json`: # X.509 Certificate Extended Key Usage Extension {#eku} {{RFC5280}} specifies the Extended Key Usage (EKU) X.509 certificate extension for use on end entity certificates. The extension indicates one or more purposes for which the certified public key is valid. The EKU extension can be used in conjunction with the Key Usage (KU) extension, which indicates the set of basic cryptographic operations for which the certified key may be used. A certificate's issuer explicitly delegates Status List Token signing authority by issuing a X.509 certificate containing the KeyPurposeId defined below in the extended key usage extension. -Other specifications MAY choose to re-use this OID for other status mechanisms. +Other specifications MAY choose to re-use this OID for other status mechanisms under the condition that they are registered in the "JWT Status Mechanisms" or "CWT Status Mechanisms" registries. The following OID is defined for usage in the EKU extension