On Tue, Jan 03, 2017 at 05:52:22PM +0100, Denis wrote: > > > *1°. The draft will be unable to move to Draft Standard* > > The Intended status of draft-ietf-oauth-jwsreq is Standards Track. > > RFC 5657 states: Advancing a protocol to Draft Standard requires > documentation of the *interoperation *and implementation *o**f the > protocol.* > > The goal of RFC standard Track document is define *interoperable > protocols, *hence not simply to define the syntax of a request leaving > dozens of possibilities about the treatment of the parameters that may > be included in the request to the AS. > > Generally speaking, the text is silent about the treatment of _every_ > parameter of the JAR. In particular, what kind of verification and > processing > SHALL be done by the Authorization Server on "aud", since both "iss" and > "aud" SHOULD be present (see page 6) in the Authorization Request. > > The document currently fails to *clearly indicate which parameters of > the JAR are used by the Authorization Server to validate the JAR itself > and which parameters are used to build the requested access token*. > > For example, is the "aud" parameter supposed to identify the AS or the RS ? > > This means that the text should be sufficiently clear so that two > different implementations can interoperate. This will not be the case if > the text stays like this. > > The goal of Standard Tracks RFCs is not to define frameworks but > *interoperable protocols.*
While I applaud the goal of interoperability, I must raise the big flag that no one said anything about "Draft Standard" for this document, and RFC 6410 eliminates the "Draft Standard" status. And from a pragmatic point of view, if it is necessary to first specify a framework before one can get consensus to specify something fully specified and interoperable, then that's a fine step to take. So, I'm not sure that I'm convinced by this particular item from your list. -Ben _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
