Gabriel Corona

What about something like "ensure that changes of roles and entitlement are taken into account in the policy enforcement points in at most `X`". When using some kind of reference...

> Maybe the solution is to either allow a grace period or make this an L2 or L3 requirement. Yes, in practice for scalability reasons, you are often going to...

> real time Actually, the definition of "real-time" is that the delay must be bounded by some specified value, so if we wanted to paraphrase the meaning of this, it...

> as there is quite a big overlap for a web application and "non-web application". Note: some of the requirements (i.e. in the crypto, OAuth/OIDC) were formulated with the web...

> Verify that stateless session tokens make use of a digital signature to protect against tampering and this is checked before processing it further. To be strict this should be...

> Verify that all active stateless tokens, which are being relied upon for access control decisions, are revoked when admins change the entitlements or roles of the user. We can't...

> A common strategy is to maintain a unique token ID or use redis/memcache to maintain temporary revoke lists. Yes, my point was that it is not really stateless anymore....

I would say the use case for access tokens which last a few minutes is to have really stateless access tokens while providing short grant revocation propagation. [RFC6819](https://www.rfc-editor.org/rfc/rfc6819#section-5.1.5.2) says: >...

> And although this may mean by a strict definition the architecture is not completely stateless, these revocation strategies are still mostly stateless and not not require a full-on server-side...

"HMAC" should be replaced by "MAC": any other (non-broken) MAC could be used. (Would it be useful, to mention authenticated encryption algorithms here?)