Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ttl counting from iat rather than fetch time #274

Closed
remcoschaar opened this issue Mar 5, 2025 · 2 comments · Fixed by #280
Closed

ttl counting from iat rather than fetch time #274

remcoschaar opened this issue Mar 5, 2025 · 2 comments · Fixed by #280
Assignees
@paulbastian

Comments

@remcoschaar
Copy link

Section 11.4 holds a description on caching status lists and expiry. The section contains a diagram, where the ttl is based of the time of fetching.

The time of fetching can be rather arbitrary, e.g. first time of encountering of a token by an issuer in practice. A Relying Party may initially fetch a status list "just before iat". The RP will then have an outdated status list for the full ttl, before again fetching the status list just before it will be renewed by the issuer.

Typically the issuer of a token will publish a new status list every period (every ttl). This would be based off of iat, with the period ttl. Hereby suggesting to revise the diagram, to base the ttl on the iat rather than the "time of fetching". That way the Relying Party can get the most recent status list as soon as it is available.

A downside may be that the issuer could see a load at or just after iat+ttl. This however may happen in practice anyways, as it is typically a public endpoint.
@c2bo
Copy link
Member

c2bo commented Mar 5, 2025

That was a conscious decision to distribute the load for the hosting of the Status List. It is a SHOULD in the draft, so implementations may choose to not use the time of fetching + ttl, but use iat + ttl to guarantee most up-to-date information. The Status List Token can be considered valid until it hits exp time and it should imho be up to the RP policy how to use ttl.

@remcoschaar
Copy link
Author

Thanks for confirming this was a conscious decision. That is currently not very clear from the draft itself. I agree that in general that would make a sensible default.
There will be ecosystems with different needs for their stakeholders, depending on among others: the number of stakeholders, their size, their roles, timings, regulations, status list batch parameters and infrastructure.

Could I suggest alternatively to include a subsection under "implementation considerations"?
Basically the section should point out that setting the frequency for ttl for Issuers is balancing operational load (costs) with timeliness of propagating status changes to the ecosystem. And choices for exp and ttl at the same time influence availability of using tokens for End-Users at Relying Parties.
For Relying Parties the consideration would be similar, timeliness of status information versus putting a burden on, with risk of overloading, the Issuer's infrastructure (unintentional DDoS). Using the time of fetching as baseline or adding some random delay on top of iat+ttl are common methods to avoid unintentionally DDoS-ing an Issuer's infrastructure.
It is up to applications and deployments of the status list specification to weigh the various parameters mentioned above into their implementation decision.

@paulbastian paulbastian mentioned this issue Mar 21, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@paulbastian paulbastian

Labels
None yet
Projects
None yet
Milestone
No milestone
3 participants
@c2bo @paulbastian @remcoschaar