diff --git a/archive.json b/archive.json index 1c2fd26..49137f2 100644 --- a/archive.json +++ b/archive.json @@ -1,6 +1,6 @@ { "magic": "E!vIA5L86J2I", - "timestamp": "2023-08-01T01:08:52.216261+00:00", + "timestamp": "2023-08-03T01:02:48.837860+00:00", "repo": "vcstuff/draft-looker-oauth-jwt-cwt-status-list", "labels": [ { @@ -2833,6 +2833,54 @@ "mergeCommit": null, "comments": [], "reviews": [] + }, + { + "number": 49, + "id": "PR_kwDOJZ2aqs5XChB5", + "title": "chore: initial commit for ttl langugage", + "url": "https://github.com/vcstuff/draft-looker-oauth-jwt-cwt-status-list/pull/49", + "state": "OPEN", + "author": "mprorock", + "authorAssociation": "NONE", + "assignees": [], + "labels": [], + "body": "## \ud83d\udcd1 Description\r\nadds support for `ttl` instructions for consumers/verifiers - this is important, especially with signed lists to separate the requirement to sign and reissue from when a client or cdn needs to fetch a fresh copy of the list", + "createdAt": "2023-08-02T18:46:01Z", + "updatedAt": "2023-08-02T23:31:09Z", + "baseRepository": "vcstuff/draft-looker-oauth-jwt-cwt-status-list", + "baseRefName": "main", + "baseRefOid": "70e860b9cd190741593d92cd0b8e27394137bda9", + "headRepository": "mesur-io/draft-looker-oauth-jwt-cwt-status-list", + "headRefName": "feature/ttl", + "headRefOid": "81ad79e419267529b1b99832d58d60978c5679e8", + "closedAt": null, + "mergedAt": null, + "mergedBy": null, + "mergeCommit": null, + "comments": [ + { + "author": "paulbastian", + "authorAssociation": "CONTRIBUTOR", + "body": "Is that the same mechanism that we intended for `exp` or what are the intended differences?", + "createdAt": "2023-08-02T18:48:38Z", + "updatedAt": "2023-08-02T18:48:38Z" + }, + { + "author": "c2bo", + "authorAssociation": "CONTRIBUTOR", + "body": "We definitely need to improve the wording in the draft on this - the intention was to use the default `exp` claim to signal the freshness requirements of the issuer. Advantage of this would be that it basically comes for free if you use a standard JWT library (which should already check for expiration). \r\nDo you see a benefit in having both `exp` and `ttl` or the need for different meanings/usage?", + "createdAt": "2023-08-02T19:22:27Z", + "updatedAt": "2023-08-02T19:31:55Z" + }, + { + "author": "mprorock", + "authorAssociation": "NONE", + "body": "> We definitely need to improve the wording in the draft on this - the intention was to use the default `exp` claim to signal the freshness requirements of the issuer. Advantage of this would be that it basically comes for free if you use a standard JWT library (which should already check for expiration). Do you see a benefit in having both `exp` and `ttl` or the need for different meanings/usage?\r\n\r\ndefinitely a need for both:\r\n`exp` indicates that the issuer will reissue status no later than such and such date\r\n`ttl` is an instruction for the client side, or the cdn side as to how often to fetch a fresh copy\r\n\r\nThese two values may be in sync in some cases, but not always. consider the case where a jwt may need status checked frequently, but the status changes are infrequent - the isssuer should not need to re-sign a status as frequently as they wish the client to check for a new copy. pretty common issue in the supply chain arena, and others. \r\nthink of `exp` as the renewal date for a dns registration itself, and `ttl` as the `ttl` on a dns record\r\n\r\nedit: also want to note, that a side effect of this, is that if ttl is not set, it basically defaults to ttl and works well for a lot of cases where you would just want an off the shelf jwt processing, or where caching of status, perhaps on external systems is not a concern", + "createdAt": "2023-08-02T23:29:37Z", + "updatedAt": "2023-08-02T23:31:09Z" + } + ], + "reviews": [] } ] } \ No newline at end of file