Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Interims Feedback: Discussion around Suspended Status Type #222

Open
paulbastian opened this issue Jan 14, 2025 · 3 comments · May be fixed by #249
Open

Interims Feedback: Discussion around Suspended Status Type #222

paulbastian opened this issue Jan 14, 2025 · 3 comments · May be fixed by #249
Assignees
@c2bo

Comments

@paulbastian
Copy link
Contributor

paulbastian commented Jan 14, 2025
edited
Loading

In the OAuth Interims Call on 13. Jan 2025, feedback occured towards the pre-defined Status Types.

Currently we define only 3 Status Types:

  • 0x00 VALID
  • 0x01 INVALID
  • 0x02 SUSPENDED
  • the rest is undefined or application-specific

There was no objection towards 0x00 and 0x01 and people agreed that for security reasons its best to have those important ones fixed in the specification. Towards 0x02 (suspended) there were different opinions and suggestions. The summarized options are:

Option A

Keep 0x02 (suspended) as pre-defined but add additional text in the draft that explains potential privacy issues of it (leaking more information than necessary when used with natural persons) but also explains potential use cases (suspended may signal different actions for the Relying Party and avoid deletion of an account or similar)

Option B

Remove 0x02 (suspended) and have this as an application-specific, ecosystem-depended value, if needed.

Option C

Leave 0x00 and 0x01 as pre-defined in the draft and add context-specific values and descriptions for the other ones in the Status List Token, see initial thoughts on this in #1
@c2bo c2bo mentioned this issue Jan 14, 2025
Open
@c2bo
Copy link
Member

c2bo commented Jan 16, 2025

Editor's call: Preference to keep suspended in the pre-defined values (with additional section explaining its risk).
We also might want to reserve certain ranges of status type values for further usage.

@paulbastian
Copy link
Contributor Author

Editors Call:

  • possible other status type for OUT_OF_DATE
  • make clear that all other values that are not APPLICATION_SPECIFIC are reserved for future use/registration

@c2bo c2bo assigned tplooker and c2bo and unassigned tplooker Jan 27, 2025
@c2bo
Copy link
Member

c2bo commented Jan 29, 2025

todo: Propose Privacy Considerations for Suspended status

@c2bo c2bo linked a pull request Jan 30, 2025 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@c2bo c2bo

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

222 suspended privacy considerations oauth-wg/draft-ietf-oauth-status-list
3 participants
@c2bo @tplooker @paulbastian