Merge pull request #252 from oauth-wg/205-validation-rules

mention key resolution in the validation rules section

draft-ietf-oauth-status-list.md

@@ -772,7 +772,7 @@ If this validation is not successful, the Referenced Token MUST be rejected. If
 1. Check for the existence of a `status` claim, check for the existence of a `status_list` claim within the `status` claim and validate that the content of `status_list` adheres to the rules defined in [](#referenced-token-jose) for JOSE-based Referenced Tokens and [](#referenced-token-cose) for COSE-based Referenced Tokens. Other formats of Referenced Tokens may define other encoding of the URI and index.
 2. Resolve the Status List Token from the provided URI
 3. Validate the Status List Token:
-    1. Validate the Status List Token by following the rules defined in section 7.2 of {{RFC7519}} for JWTs and section 7.2 of {{RFC8392}} for CWTs
+    1. Validate the Status List Token by following the rules defined in section 7.2 of {{RFC7519}} for JWTs and section 7.2 of {{RFC8392}} for CWTs. This step might require the resolution of a public key as described in [](#key-management).
     2. Check for the existence of the required claims as defined in [](#status-list-token-jwt) and [](#status-list-token-cwt) depending on the token type
 4. All existing claims in the Status List Token MUST be checked according to the rules in [](#status-list-token-jwt) and [](#status-list-token-cwt)
     1. The subject claim (`sub` or `2`) of the Status List Token MUST be equal to the `uri` claim in the `status_list` object of the Referenced Token
@@ -1805,6 +1805,7 @@ CBOR encoding:
 * updated language around application specific status type values and assigned ranges for application specific usage
 * add short security considerations section for mac based deployments
 * fix aggregation_uri text in referenced token
+* mention key resolution in validation rules
 
 -06