fix: issue 298 #299
Open
fix: issue 298 #299
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
some nitpicks and clarifications
adeinega
reviewed
Jul 17, 2025
| - Generating a unique Status List for every Referenced Token. By these means, the Issuer could maintain a mapping between Referenced Tokens and Status Lists and thus track the usage of Referenced Tokens by utilizing this mapping for the incoming requests. | ||
| - Encoding a unique uri in each Reference Token which points to the underlying Status List. This may involve using uri components such as query parameters, unique path segments or fragments to make the uri unique. | ||
|
|
||
| This malicious behaviour can be detected by Relying Parties that request large amounts of Referenced Tokens by comparing the number of different Status Lists and their sizes with the volume of Reference Tokens being verified. |
There was a problem hiding this comment.
Suggested change
| This malicious behaviour can be detected by Relying Parties that request large amounts of Referenced Tokens by comparing the number of different Status Lists and their sizes with the volume of Reference Tokens being verified. | |
| This malicious behavior can be detected by Relying Parties that request large amounts of Referenced Tokens by comparing the number of different Status Lists and their sizes with the volume of Reference Tokens being verified. |
There was a problem hiding this comment.
We've been mainly using the British spelling, so I'd keep behaviour as is.
adeinega
reviewed
Jul 17, 2025
draft-ietf-oauth-status-list.md
Outdated
|
|
||
| A malicious Issuer could bypass the privacy benefits of the herd privacy by generating a unique Status List for every Referenced Token. By these means, the Issuer could maintain a mapping between Referenced Tokens and Status Lists and thus track the usage of Referenced Tokens by utilizing this mapping for the incoming requests. This malicious behaviour could be detected by Relying Parties that request large amounts of Referenced Tokens by comparing the number of different Status Lists and their sizes. | ||
| A malicious Issuer could bypass the privacy benefits of the herd privacy by |
There was a problem hiding this comment.
I’m not entirely sure if it’s always a malicious issuer. This kind of thing can "accidentally" be introduced by a legitimate issuer due to the various reasons (due to lack of recommendations, knowledge, and whatnot).
It's a bit unfortunate that there isn't much RPs can do about it as URLs such as https://example.com/some_tenant_guid1/statuslists/1 and https://example.com/some_tenant_guid2/statuslists/1 are valid ones.
adeinega
reviewed
Jul 17, 2025
|
I've also left a comment about the use of claim vs property in my #298. |
paulbastian
approved these changes
Jul 17, 2025
Co-authored-by: Paul Bastian <[email protected]>
Co-authored-by: Andrii Deinega <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes #298