IETF interim June 11 2024

Token Status List

Paul talks about the status and history of Token Status List, presents
big picture and describes how idx & uri claims are used to verify
status.

Changes since last IETF:

Work in progress:

Open points:

Additional slides are shown which give an overview of the various status
mechanisms and compares them.

Giuseppe mentions that his scenario requires more than a simple
revocation.

Chair, Rifaat, suggests to adjurn and a more detailed discussion in
Vancover.

OAuth Status Assertions

Giuseppe gives an introduction into the history of the draft and
explains that the title has changed based on IETF feedback. He describes
the draft briefly.

An example is shown where the status assertion uses the same "status"
claim as token status list. An additional example shows that multiple
assertions can be requested in a single request. Other examples are
shown showing proof of posession and signatures.

Kristina: Raises concerns about this model: Wallet fetching status list
on behalf of verifier doesn't make sense from a persepctive of the trust
between verifier and wallet.

Giuseppe: Wallet must be informed when credential is revoked. Presenting
assertion satisfies the requirements. RP doesnt need to reach other 3Ps.
single http request, hold provides the digital credential + status.
Working with legal teams is challenging where RP can continuously
monitor status even outside the users authentication.

Paul: (refers to chat) Asks if endpoint provided by the issuer is
protected, so that verifier cannot access it?

G: Yes, thats correct. Wallet must provide authentication.

Paul: Raises concern that reference token (status) needs to have cnf
claim so that authentication to issuer status endpoint is satisfied.
Proposes to decouple this from reference token. Such as reference tokens
without cnf claim.


Christian Bormann: If new credential can be requested, why have status
assertions? Is this preferred?
G: Yes, but short lived-credentials are trying to be avoided due to
customer experience.


Paul Bastian: If good reasons exists that its better than short lived
credentials we should adopt this. Privacy preserving but worse in scale.
How does this compare to status list?


OAuth Global Token Revocation

Aaron gives background on the problem the draft is solving.

GTR uses Security Event Tokens as an input, requires authentication and
results in revoked refreshed tokens, if possible revoked access tokens
and a user that must reauthenticate.

Aaron shows examples or requests and responses.

Aaron shows a slide that shows existing token revocation drafts and how
this draft compares to it. Closest to this draft is OpenID Connect
Back-Channel Logout. Some overlap with OpenID shared signals frameworks.

Another slides shows how this draft can work together with the previous
discussed drafts (status assertions and token status lists)


Oliver: Status lists defines valid/invalid/suspended. Which of these
status would be triggered by global token revocation.

Aaron: Draft has nothing to do with VC, it's simple OAuth with access
tokens and refresh tokens. If you want to use status list to keep track
of revoked tokens. If thats the case it should be made clear what flags
to use.


Paul Bastian: It would be valueable if the status types could be reused
across the draft and the terminology is aligned.


Pieter Kasselmann: How does AS communicate back to resource servers that
a token has been revoked?

Aaron: Good question, in OAuth this is normally out of scope. If, AS and
RS are seperate servers, they need to coordinate somehow.


General revocation conversation

Christian: As long as we don't have scaleable crypt. accumilators, there
won't be a single system that fits all.

Kristina: We are not seeing any convergience for a single model in the
walllets space. No clear metrics who's using what. Each impl. is
choosing what seems to fit their requirements. Will be hard to drive
convergence. Partially imprasing where there will be multiple revocation
mechanisms.

Hannes: Out of all the mechanisms, are developers aware of the criteria
to decide which one to take? Is it an easy decision? It would be useful
to avoid confusion.

Rifaat: Need for more discussion, continueing in Vancover.