[OAUTH-WG] Re: OAuth Digest, Vol 198, Issue 21

[Steffen Schwalm]

Let`s limit the application area of TokenStatusList to the US only 😉

Von: Michael Schwartz <m...@gluu.org>
Gesendet: Dienstag, 8. April 2025 18:51
An: oauth@ietf.org
Betreff: [OAUTH-WG] Re: OAuth Digest, Vol 198, Issue 21


Caution: This email originated from outside of the organization. Despite an 
upstream security check of attachments and links by Microsoft Defender for 
Office, a residual risk always remains. Only open attachments and links from 
known and trusted senders.
I very much support moving the Token Status List draft forward.

Gluu (via Janssen Project) has already implemented the draft spec and we've 
found it to be an invaluable new tool in our toolbox.

Mike

--------------------------------------
Michael Schwartz
Gluu
Founder/CEO
https://www.linkedin.com/in/nynymike

On Mon, Apr 7, 2025 at 11:11 PM 
<oauth-requ...@ietf.org<mailto:oauth-requ...@ietf.org>> wrote:
Send OAuth mailing list submissions to
        oauth@ietf.org<mailto:oauth@ietf.org>

To subscribe or unsubscribe via email, send a message with subject or
body 'help' to
        oauth-requ...@ietf.org<mailto:oauth-requ...@ietf.org>

You can reach the person managing the list at
        oauth-ow...@ietf.org<mailto:oauth-ow...@ietf.org>

When replying, please edit your Subject line so it is more specific
than "Re: Contents of OAuth digest..."

Today's Topics:

   1. Re: Second WGLC for Token Status List (Brian Campbell)
   2. Re: Second WGLC for Token Status List (Steffen Schwalm)


----------------------------------------------------------------------

Message: 1
Date: Mon, 7 Apr 2025 13:49:27 -0600
From: Brian Campbell 
<bcampb...@pingidentity.com<mailto:bcampb...@pingidentity.com>>
Subject: [OAUTH-WG] Re: Second WGLC for Token Status List
To: Steffen Schwalm 
<Steffen.Schwalm@msg.group<mailto:Steffen.Schwalm@msg.group>>
Cc: 
"torsten=40lodderstedt....@dmarc.ietf.org<mailto:40lodderstedt....@dmarc.ietf.org>"
        
<torsten=40lodderstedt....@dmarc.ietf.org<mailto:40lodderstedt....@dmarc.ietf.org>>,
 oauth <oauth@ietf.org<mailto:oauth@ietf.org>>
Message-ID:
        
<CA+k3eCTmf=5ozgqetcuvb1xjjlwjnmevpl1qyhjxwfpp7li...@mail.gmail.com<mailto:5ozgqetcuvb1xjjlwjnmevpl1qyhjxwfpp7li...@mail.gmail.com>>
Content-Type: multipart/alternative;
        boundary="0000000000004922c80632358abc"

On Thu, Apr 3, 2025 at 11:33 AM Steffen Schwalm 
<Steffen.Schwalm@msg.group<mailto:Steffen.Schwalm@msg.group>>
wrote:

> I strongly oppose against moving forward the specification as Issues still
> open.
>
>
>
>    1. There´s no documented decision on the well-known x509 issue –
>    beside the wishes of the authors
>
>
Having seen and participated in discussion of the issue on the mailing
list, at "unofficial" events with WG participants, and at official events
with WG participants - the decision was very clearly based on the wishes of
the rough consensus of the WG participants. Speaking as an individual, of
course.




>    1.
>    2. Still wait for information from chairs where and how to solve issue
>    when not in TokenStatusList
>    3. Means TokenStatusList contains privacy issue in case used for
>    Attestatiosn of attributes in eIDAS
>
>
>
>
>
> *Von:* Kristina Yasuda 
> <yasudakrist...@gmail.com<mailto:yasudakrist...@gmail.com>>
> *Gesendet:* Mittwoch, 2. April 2025 00:22
> *An:* ANTHONY NADALIN <nada...@prodigy.net<mailto:nada...@prodigy.net>>
> *Cc:* 
> torsten=40lodderstedt....@dmarc.ietf.org<mailto:40lodderstedt....@dmarc.ietf.org>;
>  oauth <oauth@ietf.org<mailto:oauth@ietf.org>>
> *Betreff:* [OAUTH-WG] Re: Second WGLC for Token Status List
>
>
>
> *Caution:* This email originated from outside of the organization.
> Despite an upstream security check of attachments and links by Microsoft
> Defender for Office, a residual risk always remains. Only open attachments
> and links from known and trusted senders.
>
> I support moving this specification forward. It is a crucial building
> block for lifecycle management of different tokens/credentials.
>
>
>
> On Tue, Apr 1, 2025 at 9:42 PM ANTHONY NADALIN 
> <nada...@prodigy.net<mailto:nada...@prodigy.net>>
> wrote:
>
> support this moving forward as we need this in ISO
>
>
>
> Get Outlook for Android <https://aka.ms/AAb9ysg>
> ------------------------------
>
> *From:* 
> torsten=40lodderstedt....@dmarc.ietf.org<mailto:40lodderstedt....@dmarc.ietf.org>
>  <torsten=
> 40lodderstedt....@dmarc.ietf.org<mailto:40lodderstedt....@dmarc.ietf.org>>
> *Sent:* Tuesday, April 1, 2025 11:38:22 AM
> *To:* oauth <oauth@ietf.org<mailto:oauth@ietf.org>>; Rifaat Shekh-Yusef 
> <rifaat.s.i...@gmail.com<mailto:rifaat.s.i...@gmail.com>>
> *Subject:* [OAUTH-WG] Re: Second WGLC for Token Status List
>
>
>
> Hi,
>
> I support moving this spec forward.
>
>
>
> best regards,
>
> Torsten.
>
> Am 24. März 2025, 13:41 +0100 schrieb Rifaat Shekh-Yusef <
> rifaat.s.i...@gmail.com<mailto:rifaat.s.i...@gmail.com>>:
>
> All,
>
> This is a *second WG Last Call* for the *Token Status List* document:
> https://datatracker.ietf.org/doc/draft-ietf-oauth-status-list/
>
> Please, review this document and reply on the mailing list if you have any
> comments or concerns, by *April 7th*.
>
> Regards,
>   Rifaat & Hannes
>
>
>
> _______________________________________________
> OAuth mailing list -- oauth@ietf.org<mailto:oauth@ietf.org>
> To unsubscribe send an email to 
> oauth-le...@ietf.org<mailto:oauth-le...@ietf.org>
>
> _______________________________________________
> OAuth mailing list -- oauth@ietf.org<mailto:oauth@ietf.org>
> To unsubscribe send an email to 
> oauth-le...@ietf.org<mailto:oauth-le...@ietf.org>
>
> _______________________________________________
> OAuth mailing list -- oauth@ietf.org<mailto:oauth@ietf.org>
> To unsubscribe send an email to 
> oauth-le...@ietf.org<mailto:oauth-le...@ietf.org>
>

--
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged
material for the sole use of the intended recipient(s). Any review, use,
distribution or disclosure by others is strictly prohibited.  If you have
received this communication in error, please notify the sender immediately
by e-mail and delete the message and any file attachments from your
computer. Thank you._
-------------- next part --------------
A message part incompatible with plain text digests has been removed ...
Name: not available
Type: text/html
Size: 9477 bytes
Desc: not available

------------------------------

Message: 2
Date: Tue, 8 Apr 2025 06:08:37 +0000
From: Steffen Schwalm 
<Steffen.Schwalm@msg.group<mailto:Steffen.Schwalm@msg.group>>
Subject: [OAUTH-WG] Re: Second WGLC for Token Status List
To: Brian Campbell 
<bcampb...@pingidentity.com<mailto:bcampb...@pingidentity.com>>
Cc: 
"torsten=40lodderstedt....@dmarc.ietf.org<mailto:40lodderstedt....@dmarc.ietf.org>"
        
<torsten=40lodderstedt....@dmarc.ietf.org<mailto:40lodderstedt....@dmarc.ietf.org>>,
 oauth <oauth@ietf.org<mailto:oauth@ietf.org>>
Message-ID:  <am8p191mb1299038e6ad6eca9752809f2fa...@am8p191mb1299.eur
        P191.PROD.OUTLOOK.COM<http://P191.PROD.OUTLOOK.COM>>
Content-Type: multipart/alternative;    boundary="_000_AM8P191MB129903
        8E6AD6ECA9752809F2FAB52AM8P191MB1299EURP_"

Hi Brian,

thanks a lot for your mail. As far as I know informal meetings and assumptions 
of alleged consensus are no basement for trustworthy decisions on open 
standardization and official standardization bodies like IETF as the chairs 
confirmed several times. We are currently in WGLC, after consensus found 
everybody will be happy to follow it.

Independently from this: the subject is under clarification. Maybe we use the 
time to solve the privacy issue TokenStatusList contains immanently if used for 
(Q)EAA in eIDAS.

Best

Steffen






Von: Brian Campbell 
<bcampb...@pingidentity.com<mailto:bcampb...@pingidentity.com>>
Gesendet: Montag, 7. April 2025 21:49
An: Steffen Schwalm 
<Steffen.Schwalm@msg.group<mailto:Steffen.Schwalm@msg.group>>
Cc: Kristina Yasuda 
<yasudakrist...@gmail.com<mailto:yasudakrist...@gmail.com>>; ANTHONY NADALIN 
<nada...@prodigy.net<mailto:nada...@prodigy.net>>; 
torsten=40lodderstedt....@dmarc.ietf.org<mailto:40lodderstedt....@dmarc.ietf.org>;
 oauth <oauth@ietf.org<mailto:oauth@ietf.org>>
Betreff: Re: [OAUTH-WG] Re: Second WGLC for Token Status List


Caution: This email originated from outside of the organization. Despite an 
upstream security check of attachments and links by Microsoft Defender for 
Office, a residual risk always remains. Only open attachments and links from 
known and trusted senders.


On Thu, Apr 3, 2025 at 11:33 AM Steffen Schwalm 
<Steffen.Schwalm@msg.group<mailto:Steffen.Schwalm@msg.group<mailto:Steffen.Schwalm@msg.group>>>
 wrote:
I strongly oppose against moving forward the specification as Issues still open.


  1.  There´s no documented decision on the well-known x509 issue – beside the 
wishes of the authors

Having seen and participated in discussion of the issue on the mailing list, at 
"unofficial" events with WG participants, and at official events with WG 
participants - the decision was very clearly based on the wishes of the rough 
consensus of the WG participants. Speaking as an individual, of course.




  1.
  2.  Still wait for information from chairs where and how to solve issue when 
not in TokenStatusList
  3.  Means TokenStatusList contains privacy issue in case used for 
Attestatiosn of attributes in eIDAS


Von: Kristina Yasuda 
<yasudakrist...@gmail.com<mailto:yasudakrist...@gmail.com><mailto:yasudakrist...@gmail.com<mailto:yasudakrist...@gmail.com>>>
Gesendet: Mittwoch, 2. April 2025 00:22
An: ANTHONY NADALIN 
<nada...@prodigy.net<mailto:nada...@prodigy.net><mailto:nada...@prodigy.net<mailto:nada...@prodigy.net>>>
Cc: 
torsten=40lodderstedt....@dmarc.ietf.org<mailto:40lodderstedt....@dmarc.ietf.org><mailto:40lodderstedt....@dmarc.ietf.org<mailto:40lodderstedt....@dmarc.ietf.org>>;
 oauth 
<oauth@ietf.org<mailto:oauth@ietf.org><mailto:oauth@ietf.org<mailto:oauth@ietf.org>>>
Betreff: [OAUTH-WG] Re: Second WGLC for Token Status List


Caution: This email originated from outside of the organization. Despite an 
upstream security check of attachments and links by Microsoft Defender for 
Office, a residual risk always remains. Only open attachments and links from 
known and trusted senders.
I support moving this specification forward. It is a crucial building block for 
lifecycle management of different tokens/credentials.

On Tue, Apr 1, 2025 at 9:42 PM ANTHONY NADALIN 
<nada...@prodigy.net<mailto:nada...@prodigy.net><mailto:nada...@prodigy.net<mailto:nada...@prodigy.net>>>
 wrote:
support this moving forward as we need this in ISO

Get Outlook for Android<https://aka.ms/AAb9ysg>
________________________________
From: 
torsten=40lodderstedt....@dmarc.ietf.org<mailto:40lodderstedt....@dmarc.ietf.org><mailto:40lodderstedt....@dmarc.ietf.org<mailto:40lodderstedt....@dmarc.ietf.org>>
 
<torsten=40lodderstedt....@dmarc.ietf.org<mailto:40lodderstedt....@dmarc.ietf.org><mailto:40lodderstedt....@dmarc.ietf.org<mailto:40lodderstedt....@dmarc.ietf.org>>>
Sent: Tuesday, April 1, 2025 11:38:22 AM
To: oauth 
<oauth@ietf.org<mailto:oauth@ietf.org><mailto:oauth@ietf.org<mailto:oauth@ietf.org>>>;
 Rifaat Shekh-Yusef 
<rifaat.s.i...@gmail.com<mailto:rifaat.s.i...@gmail.com><mailto:rifaat.s.i...@gmail.com<mailto:rifaat.s.i...@gmail.com>>>
Subject: [OAUTH-WG] Re: Second WGLC for Token Status List

Hi,

I support moving this spec forward.

best regards,
Torsten.
Am 24. März 2025, 13:41 +0100 schrieb Rifaat Shekh-Yusef 
<rifaat.s.i...@gmail.com<mailto:rifaat.s.i...@gmail.com><mailto:rifaat.s.i...@gmail.com<mailto:rifaat.s.i...@gmail.com>>>:
All,

This is a second WG Last Call for the Token Status List document:
https://datatracker.ietf.org/doc/draft-ietf-oauth-status-list/

Please, review this document and reply on the mailing list if you have any 
comments or concerns, by April 7th.

Regards,
  Rifaat & Hannes

_______________________________________________
OAuth mailing list -- 
oauth@ietf.org<mailto:oauth@ietf.org><mailto:oauth@ietf.org<mailto:oauth@ietf.org>>
To unsubscribe send an email to 
oauth-le...@ietf.org<mailto:oauth-le...@ietf.org><mailto:oauth-le...@ietf.org<mailto:oauth-le...@ietf.org>>
_______________________________________________
OAuth mailing list -- 
oauth@ietf.org<mailto:oauth@ietf.org><mailto:oauth@ietf.org<mailto:oauth@ietf.org>>
To unsubscribe send an email to 
oauth-le...@ietf.org<mailto:oauth-le...@ietf.org><mailto:oauth-le...@ietf.org<mailto:oauth-le...@ietf.org>>
_______________________________________________
OAuth mailing list -- 
oauth@ietf.org<mailto:oauth@ietf.org><mailto:oauth@ietf.org<mailto:oauth@ietf.org>>
To unsubscribe send an email to 
oauth-le...@ietf.org<mailto:oauth-le...@ietf.org><mailto:oauth-le...@ietf.org<mailto:oauth-le...@ietf.org>>

CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately by 
e-mail and delete the message and any file attachments from your computer. 
Thank you.
-------------- next part --------------
A message part incompatible with plain text digests has been removed ...
Name: not available
Type: text/html
Size: 17026 bytes
Desc: not available

------------------------------

Subject: Digest Footer

_______________________________________________
OAuth mailing list -- oauth@ietf.org<mailto:oauth@ietf.org>
To unsubscribe send an email to 
oauth-le...@ietf.org<mailto:oauth-le...@ietf.org>


------------------------------

End of OAuth Digest, Vol 198, Issue 21
**************************************

[https://github.com/GluuFederation/docs-gluu-server-prod/blob/master/docs/source/small_logo.png?raw=true]
________________________________
CONFIDENTIALITY NOTICE
This message may contain confidential or legally privileged information.
If you are not the intended recipient, please immediately advise the sender by 
reply e-mail that you received this message, and delete this e-mail from your 
system.
Thank you for your cooperation

_______________________________________________
OAuth mailing list -- oauth@ietf.org
To unsubscribe send an email to oauth-le...@ietf.org