Murray Kucherawy has entered the following ballot position for draft-ietf-oauth-jwsreq-26: No Objection
When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-oauth-jwsreq/ ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- The directorate reviews are from 15 or more versions ago. I wonder if returning documents like this should be sent through the directorates again as matter of course. Abstract: "... the communication through the user agents are not ..." -- s/are/is/ Section 1 expressly cites two IANA URLs. I suggest simply naming the registry or sub-registry; the URLs might not be permanent. Or if you like the URL, do it as a reference, as you did with [IANA.MediaType]. The two bullets at the end of Section 1 toggle between "crypto" and "cryptography". I suggest picking one, preferably the latter (as did the rest of the document). In Section 3, should URI and URL include references to their defining RFCs? I realize a reader familiar with this space probably knows those terms, but they seem to be the only acronyms without a reference here. When would an implementer legitimately disregard the SHOULD in Section 4? As Benjamin Kaduk also expressed, I'm a little puzzled by this text in Section 5.2: "The "request_uri" value MUST be reachable by the Authorization Server." Is this part of the protocol? All of the subsections of Section 9 say: "This specification adds the following values to the "OAuth Parameters" registry established ..." but they all are actually modifying different sub-registries. I suggest naming the sub-registries explicitly. I realize the subsection titles have it right, but this line of repeated prose had me squinting a bit. _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
