From 6bd3ac0fe93d3908db23c1bc61382aa72df174bf Mon Sep 17 00:00:00 2001
From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com>
Date: Fri, 18 Oct 2024 00:25:21 +0200
Subject: [PATCH 1/3] Redirects

- resolves oasis-tcs/csaf#798
- add sentence about max redirects
---
 csaf_2.1/prose/edit/src/distributing.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/csaf_2.1/prose/edit/src/distributing.md b/csaf_2.1/prose/edit/src/distributing.md
index 954498e55..6846e9a05 100644
--- a/csaf_2.1/prose/edit/src/distributing.md
+++ b/csaf_2.1/prose/edit/src/distributing.md
@@ -50,6 +50,8 @@ Redirects SHOULD NOT be used. If they are inevitable only HTTP Header redirects
 
 > Reasoning: Clients should not parse the payload for navigation and some, as e.g. `curl`, do not follow any other kind of redirects.
 
+If any redirects are used, there SHOULD not be more than 5 and MUST NOT be more than 10 consecutive redirects.
+
 ### Requirement 7: provider-metadata.json
 
 The party MUST provide a valid `provider-metadata.json` according to the schema

From f826d1e4437f91402eb05ab8d3fa75e080c600f7 Mon Sep 17 00:00:00 2001
From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com>
Date: Fri, 25 Oct 2024 22:30:28 +0200
Subject: [PATCH 2/3] Requirements 9 and 10

- fixes oasis-tcs/csaf#811
- add comment that not redirects are allowed in requirement 9 and 10
---
 csaf_2.1/prose/edit/src/distributing.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/csaf_2.1/prose/edit/src/distributing.md b/csaf_2.1/prose/edit/src/distributing.md
index 6846e9a05..e5bcd940f 100644
--- a/csaf_2.1/prose/edit/src/distributing.md
+++ b/csaf_2.1/prose/edit/src/distributing.md
@@ -150,7 +150,7 @@ If one of the URLs fulfills requirement 9, this MUST be used as the first CSAF e
 ### Requirement 9: Well-known URL for provider-metadata.json
 
 The URL path `/.well-known/csaf/provider-metadata.json` under the main domain of the issuing authority serves directly
-the `provider-metadata.json` according to requirement 7.
+the `provider-metadata.json` according to requirement 7. That implies that redirects SHALL NOT be used.
 The use of the scheme "HTTPS" is required. See [cite](#RFC8615) for more details.
 
 *Example 1:*
@@ -162,7 +162,7 @@ The use of the scheme "HTTPS" is required. See [cite](#RFC8615) for more details
 ### Requirement 10: DNS path
 
 The DNS record `csaf.data.security.domain.tld` SHALL resolve as a web server which serves directly
-the `provider-metadata.json` according to requirement 7.
+the `provider-metadata.json` according to requirement 7. That implies that redirects SHALL NOT be used.
 The use of the scheme "HTTPS" is required.
 
 ### Requirement 11: One folder per year

From 8ec5d8fa8ae2218d609f94cf32db9204fd951525 Mon Sep 17 00:00:00 2001
From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com>
Date: Fri, 25 Oct 2024 22:33:36 +0200
Subject: [PATCH 3/3] RFC 9116

- addresses parts of oasis-tcs/csaf#318
- reflect current state of CSAF field in security.txt
---
 csaf_2.1/prose/edit/src/distributing.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/csaf_2.1/prose/edit/src/distributing.md b/csaf_2.1/prose/edit/src/distributing.md
index e5bcd940f..8dfb5d209 100644
--- a/csaf_2.1/prose/edit/src/distributing.md
+++ b/csaf_2.1/prose/edit/src/distributing.md
@@ -130,8 +130,8 @@ In the security.txt there MUST be at least one field `CSAF` which points to the
 If this field indicates a web URI, then it MUST begin with "https://" (as per section 2.7.2 of [cite](#RFC7230)).
 See [cite](#SECURITY-TXT) for more details.
 
-> The security.txt was published as [cite](#RFC9116) in April 2022. At the time of this writing,
-> the `CSAF` field is in the process of being officially added.
+> The security.txt was published as [cite](#RFC9116) in April 2022.
+> The `CSAF` field was officially added through the IANA registry.
 
 *Examples 1:*