Open peppelinux opened 5 months ago
OAuth Status Lists [@!I-D.looker-oauth-jwt-cwt-status-list] are suitable for specific scenarios, especially when the Verifier needs to verify the status of a Digital Credential at a later time after the User has presented the Digital Credential.
In scenarios where the Verifier, Credential Issuer, and OAuth Status List Provider are all part of the same domain or operate within a context where a high level of trust exists between them and the End-User, the OAuth Status List is the optimal solution; while there might be other cases where the OAuth Status List facilitates the exposure to the following privacy risks:
Status Assertions differ significantly from OAuth Status Lists in several ways:
Privacy: Status Assertions are designed to be privacy-preserving. Verifier exchanges the Status Assertions directly with the Holder, not requiring the Verifier to gather any additional information from third-party entities. Once a Status Assertion is issued, it can be verified without any further communication with the Credential Issuer or any other party, thus preventing potential privacy leaks.
Static Verification: Status Assertions are designed to be statically provided to Verifiers by Wallet Instance.
Digital Credentials Formats: Status Assertions are agnostic from the Digital Credential format to which they are bound.
Trust Model: Status Assertions operate under a model where the Verifier trusts the Credential Issuer to provide accurate status information, while the OAuth Status Lists operate under a model where the Verifier trusts the Status List Provider to maintain an accurate and up-to-date list of statuses.
Offline flow: OAuth Status List can be accessed by a Verifier when
an internet connection is present. At the same time,
OAuth Status List defines
how to download an entire Status List or a Status List Token.
In the Status List Token, the status_list
and sub
members are mandatory.
They provide the URL and the index of the revocation entry for the Digital Credential,
enabling a Verifier to check the status of the Digital Credential
when a broadband connection becomes available.
Even if similar to
the OAuth Status List Token, the Status Assertions enable the User to
persistently use their preexistent Digital Credentials,
without disclosing a status URL or any remote reference to it, as long as
the linked Status Assertion is available and presented to the
Verifier, and not expired.
Real-time validation: OAuth Status Lists provide the possibility to do real-time validation of the Digital Credential status. To support the real-time status validation use cases, a Wallet MAY implement strategy to request a new Status Assertion before sending it to the Verifier.
other points:
the bitstring status list hugely increases over time and cannot be reduced, untill all the block will be free, even when the related credential are expired. this creates huge impacts within an it infrastructure
the Status List URL mixed with the index uniquely identify the credential, representing a sort of super-cookie
A credential is revoked but status list fails download. Is that credential revoked? Standing on the last status list (outdated and already obtained by RP) yes, while it is not.
All those comparisons will be held in this thread unless an informational RFC will be created about both the status lists and the status assertions