property uri

[adeinega]

Property uri is currently defined as

The uri (URI) claim MUST specify a String value that identifies the Status List Token containing the status information for the Referenced Token. The value of uri MUST be a URI conforming to [RFC3986].

The issue here is that an issuer of ATs can and query and path parameters (unique to each issued AT), that would allow to track the usage of ATs. While it's technically impossible to completely "hide" information about who downloaded the status list (I refer to SRC IP, user's agent, etc.), the spec in my view should discourage, and even explicitly forbid such techniques. Otherwise, it leaves the door open for this sort of misuse... which also defects the purpose of being a privacy-preserving way to check the statuses of tokens.

I also think it's a bit better to refer to uri as one of properties of the status claim, not as claim.

[c2bo]

There is a bit text on the danger of malicious issuers here: https://drafts.oauth.net/draft-ietf-oauth-status-list/draft-ietf-oauth-status-list.html#name-malicious-issuers. Nonetheless, I agree that it would probably be a good idea to add a bit of text that using path/query parameters is not permitted for the URI that is included in the token.

[paulbastian]

Agree with Christian, we already have some text, but it could be enhanced with the given context.

[tplooker]

Have opened #298 to enhance this text further.