Merge branch 'main' into jag-uk/23-async-operations-locators

ietf-wg-scitt · Jan 2, 2025 · bf5801a · bf5801a
2 parents 2987f70 + e1ece4c
commit bf5801a
Showing 1 changed file with 2 additions and 11 deletions.
diff --git a/draft-ietf-scitt-scrapi.md b/draft-ietf-scitt-scrapi.md
@@ -60,7 +60,6 @@ normative:
   IANA.params:
 
 informative:
-  I-D.draft-demarco-oauth-nonce-endpoint: Nonce-Endpoint
   I-D.draft-ietf-oauth-sd-jwt-vc: SD-JWT-VC
   RFC2046:
   RFC6838:
@@ -103,6 +102,7 @@ This specification uses "payload" as defined in {{RFC9052}}.
 # Endpoints
 
 Authentication is out of scope for this document.
+Implementations MAY authenticate clients, for example for authorization or to prevent denial of service.
 If Authentication is not implemented, rate limiting or other denial of service mitigation MUST be applied to enable anonymous access.
 
 NOTE: '\' line wrapping per {{RFC8792}} in HTTP examples.
@@ -124,7 +124,7 @@ application/concise-problem-details+cbor
 
 NOTE: SCRAPI is not a CoAP API. Nonetheless Constrained Problem Details objects ({{RFC9290}}) provide a useful CBOR encoding for problem details and avoids the need for mixing CBOR and JSON in endpoint implementations.
 
-As an example, submitting a Signed Statement with an unsupported signature algorithm would return a `400 Bad Request` status code and the following body:
+Examples of errors may include:
 
 ~~~ cbor-diag
 {
@@ -154,8 +154,6 @@ The following HTTP endpoints are mandatory to implement to enable conformance to
 
 ### Transparency Configuration
 
-Authentication SHOULD NOT be implemented for this endpoint.
-
 This endpoint is used to discover the capabilities and current configuration of a transparency service implementing this specification.
 
 The Transparency Service responds with a dictionary of configuration elements.
@@ -198,7 +196,6 @@ Fields that are not understood MUST be ignored.
 
 ### Register Signed Statement
 
-Authentication MAY be implemented for this endpoint.
 See notes on detached payloads below.
 
 This endpoint instructs a Transparency Service to register a Signed Statement on its log.
@@ -678,8 +675,6 @@ Payload (in CBOR diagnostic notation)
 
 ### Resolve Signed Statement
 
-Authentication SHOULD be implemented for this endpoint.
-
 This endpoint enables Transparency Service APIs to act like Artifact Repositories, and serve Signed Statements directly, instead of indirectly through Receipts.
 
 Request:
@@ -743,8 +738,6 @@ The `iat`, `exp` and `kid` claims can change each time a Receipt is exchanged.
 
 This means that fresh Receipts can have more recent issued at times, further in the future expiration times, and be signed with new signature algorithms.
 
-Authentication SHOULD be implemented for this endpoint.
-
 Request:
 
 ~~~ http-message
@@ -785,8 +778,6 @@ Payload (in CBOR diagnostic notation)
 ### Resolve Issuer
 
 This endpoint is inspired by {{-SD-JWT-VC}}.
-Authentication SHOULD NOT be implemented for this endpoint.
-This endpoint is used to discover verification keys, which is the reason that authentication is not required.
 
 The following is a non-normative example of a HTTP request for the Issuer Metadata configuration when `iss` is set to `https://transparency.example/tenant/1234`: