woodbe
commented
9 months ago Consider this with next round of updates as far as clarity goes, but likely not changing this particular assumption at this time (consider for next update).
Open woodbe opened 10 months ago
woodbe
commented
9 months ago Consider this with next round of updates as far as clarity goes, but likely not changing this particular assumption at this time (consider for next update).
slpotte
commented
9 months ago Are you proposing deferring SFRs specific to credential revocation until the next round of updates? I'm okay with that.
woodbe
commented
9 months ago Yes, at this time I don't want to open up authentication vs authorization for review as I think that is a larger topic for later.
Instead of bringing in aspect of A.CREDENTIAL_REVOCATION you should better think of necessity of obligatory objective attestation and require separation of authentication and authorisation to make clear that in spite of authorisation request requestor gets only suitable authorisation with afterwards authentication respective authorisation or attestation. This is missing here and unfortunately in practice more often, too.