id-jag SHOULD be short-lived

[sdesen]

A short lived id-jag token mitigates many threats such as token theft and the need to implement token revocation mechanisms, among others (although other mitigations in place such as client auth)
Should the security considerations or somewhere in the spec specificy that the token should be short lived? Sorry if this was already present and I missed it, or if it will be present in the pending Refresh token updates.

[mcguinness]

This should be covered in https://datatracker.ietf.org/doc/html/draft-ietf-oauth-identity-chaining-05#section-5.5. Do we need anything specific in this document?

[sdesen]

ID chaining is only mentioned in the introduction so I would probably want that section highlight or added in security concerns. might be too repetitive, but 🤷