Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add optional support for historical status resolution #178

Draft
wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

add optional support for historical status resolution #178

wants to merge 2 commits into from

Conversation

c2bo
Copy link
Member

@c2bo c2bo commented Sep 30, 2024

Adds support for historical resolution of status as an optional feature.

Closes #138
Rendered Version: https://drafts.oauth.net/draft-ietf-oauth-status-list/c2bo/historical-resolution/draft-ietf-oauth-status-list.html

I will take another look at the wording / normative text and mark as ready for review when I am done.

paulbastian
paulbastian requested changes Oct 1, 2024
View reviewed changes
draft-ietf-oauth-status-list.md Outdated Show resolved Hide resolved
draft-ietf-oauth-status-list.md Outdated Show resolved Hide resolved
draft-ietf-oauth-status-list.md

To obtain the Status List or Status List Token, the Relying Party MUST send an HTTP GET request to the URI provided in the Referenced Token with the additional query parameter `time` followed by a unix timestamp. The response for a valid request SHOULD contain a status list that was valid for that specified time or an error for the JWT and CWT variants and MUST contain a valid status list or an error for the unsigned option.

If the Server does not support the additional query parameter, it SHOULD signal that by returning a status code of 501 (Not Implemented), or if the queried time is not supported with a status code of 406 (Not Acceptable). These response MUST be supported for the unsigned option, where the client has not other way of checking when the response was valid. The client MUST verify this for the JWT and CWT variants by checking that the specified timestamp is within `iat` (`6` for CWT) and `exp` (`4` for CWT).
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure if the SHOULD is a benefit, if implementers cannot rely on it, they SHOULD rather use iat and exp

draft-ietf-oauth-status-list.md Outdated Show resolved Hide resolved
@paulbastian paulbastian mentioned this pull request Oct 9, 2024
Open
@c2bo
Copy link
Member Author

c2bo commented Oct 9, 2024

todo:

  • fix the references to this in privacy considerations
  • fix some wording / language

decentralgabe
decentralgabe approved these changes Oct 9, 2024
View reviewed changes
Copy link

@decentralgabe decentralgabe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the language looks good, thanks for including it.

I will only add that while there may be privacy risks, there are legitimate business cases that require such historical data, such as guaranteeing compliance with financial regulation. In these cases, user privacy is made better by using this specification (as opposed to amore privacy-eroding solution), even if maximal privacy is not achieved. I hope the privacy section can speak to this nuance.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@paulbastian paulbastian paulbastian requested changes

@decentralgabe decentralgabe decentralgabe approved these changes

@tplooker tplooker Awaiting requested review from tplooker tplooker will be requested when the pull request is marked ready for review tplooker is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Support an optional feature for historical resolution
3 participants
@c2bo @decentralgabe @paulbastian