"In order to account for modifications of policy conditions that result in the withdrawal of authorization grants (for example, fewer scopes, fewer resources, or resources available for a shorter time) in as timely a fashion as possible, the authorization server should align its strategies for management of these factors with resource owner needs and actions rather than those of clients and requesting parties. For example, the authorization server may want to invalidate a client's RPT and refresh token as soon as a resource owner changes policy conditions in such a way as deny that client and requesting party future access to a full set of previously held permissions."

There's now a companion small privacy consideration in FedAuthz privacy considerations like this:

"As noted in Section 6.1 of <xref target="UMAGrant" />, the authorization server should apply authorization, security, and time-to-live strategies in a way that favors resource owner needs and action so that removal of authorization grants is achieved in a timely fashion. PATs are another construct to which it can apply these strategies."

Your feedback is welcome.

My plan is to get revs 07 out in the next day or so for people to review against all our decisions, and then by the end of next week to start a Draft Recommendations approval e-ballot after you've all had a real chance for review. IF ANY VOTING PARTICIPANT WILL BE 100% OFFLINE and unable to participant in such activities in the next couple of weeks, please let me know!