My slightly late WGLC review follows...
SUBSTANTIVE ISSUES:
Section 3, paragraph 8: Change "extension variables such as "nonce",
"userinfo", and "id_token"" to "extension parameters such as "nonce",
"max_age", and "claims"". ("userinfo" and "id_token" are values within the
"claims" extension parameter.)
Section 4.2, bullet 2: Change "The maximum URL length supported by Internet
Explorer is 2083 ASCII characters" to "The maximum URL length supported by
older versions of Internet Explorer was 2083 ASCII characters". (This has
since been fixed. I know - because I filed the bug that resulted in the fix!
:-) )
Section 4.2.1, paragraph 2: Change "requested values for Claims" to "private
information".
Section 5.1: Change "The result MAY be either a signed or unsigned (plaintext)
Request Object" to "The result MAY be either a JWT Claims Set representing the
request parameters or if the JWE is a nested JWT, a signed JWT containing the
request parameters".
Section 6, paragraph 2: Change "this document defines additional error values
as follows" to "this document uses these additional error values".
Section 7: Change the IANA Considerations text to "This specification requests
no actions by IANA."
Section 8, second paragraph: Delete the security considerations paragraph
about not using "alg":"none". Using an Unsecured JWS is no worse than sending
the parameters the usual way.
NITS:
Section 1, bullet 3: In "The authorization server then examines the signature
and show the conformance status to the end-user, who would have some assurance
as to the legitimacy of the request when authorizing it", change "show" to
"shows".
Section 1, second bullet 3: This is currently a run-on sentence, and needs to
be split into two sentences: "The request_uri may include a SHA-256 hash of the
file, as defined in FIPS180-2 [FIPS180-2], the server knows if the file has
changed without fetching it, so it does not have to re-fetch a same file, which
is a win as well."
Section 1, second bullet 4: This sentence is missing a verb: " When the client
wants to simplify the implementation without compromising the security."
Section 1, second bullet 4: Change "they may be tampered in the browser" to
"they may be tampered with in the browser".
Section 1, second bullet 4: Change "This implies we need to have signature on
the request as well" to "This implies we need to have a signature on the
request as well".
Section 1, second bullet 4: Change "tampered" to "tampered with".
Section 3, paragraph 1: Change "JWT [RFC7519] Claims Set" to "JWT Claims Set
[RFC7519]".
Section 3, paragraph 4: Change "REQUIRED OAuth 2.0 Authorization Request
parameters that are not included in the Request Object MUST be sent as a query
parameter" to "REQUIRED OAuth 2.0 Authorization Request parameters that are not
included in the Request Object MUST be sent as query parameters".
Section 3, paragraph 4: Change "If a required parameter is not present in
neither the query parameter nor the Request Object, it forms a malformed
request" to "If a required parameter is not present in either as a query
parameter or in the Request Object, the request is malformed".
Section 3, paragraph 6: Change "the values in the Request Object takes
precedence" to "the values in the Request Object take precedence".
Section 3, paragraph 6: Change "it cannot include such parameters like "state"
that is expected to differ in every request" to "it cannot include parameters
such as "state" that are expected to differ in every request".
Section 4, paragraph 6: Delete "(line breaks are for display purposes only)"
since there are no extra line breaks in the example.
Thanks for doing this, guys...
-- Mike
-----Original Message-----
From: OAuth [mailto:[email protected]] On Behalf Of Hannes Tschofenig
Sent: Tuesday, October 20, 2015 6:03 PM
To: [email protected]
Subject: [OAUTH-WG] WGLC for draft-ietf-oauth-jwsreq-06
Hi all,
we would like to start a WGLC on draft-ietf-oauth-jwsreq-06:
https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2ftools.ietf.org%2fhtml%2fdraft-ietf-oauth-jwsreq-06&data=01%7c01%7cMichael.Jones%40microsoft.com%7c3169e0b41753491d365508d2d92d54a9%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=rW3SQyZD3L9OKT5YqE0%2fren%2f1Hb4KLBG1tEkyvMzWq0%3d
This will be a 2-week last call, so it will end on November 3rd.
The WGLC timing is good since our OAuth meeting in Yokohama is on the Thursday,
November 5th and you might want to prepare for the WG session anyway.
Please send comments to the list.
Ciao
Hannes
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
