Add further implementation guidance around when and how to use ttl vs exp claim

[tplooker]

Also consider the application and usage of a mechanism like etag to allow a consuming party to determine whether their copy of a given status list is the latest.

[tplooker]

Include rationale for why we need both.

• For example having a ttl claim and exp means the issuer of the status list doesn't need to resign it if there is no updates within the expiry window.
• This approach also helps to spread out cache invalidation by downstream parties rather then synchronising them with an expected update time stamp.

[joelposti]

Since Status List Tokens are distributed via HTTP endpoints it might be beneficial to elaborate on how ttl and exp claims interplay with HTTP headers such as Cache-Control and Expires.

For example, if the value of ttl claim is 60 and the value of Cache-Control HTTP header is max-age=30 which of these takes the precedence? My assumption is that ttl takes precedence since its signed data.

Another example: ttl is 60 but Cache-Control HTTP header is no-store. Should the consumer cache the Status List Token or not? Issuer says yes, but whatever CDN operator says no.

[paulbastian]

Editors Call:

• put it under implementation considerations
• highlight difference exp being point of time, ttl is a duration
• include the ascii art explainer we once created

[tplooker]