Hi Julian, thank you for your comments. Answers inline
We mostly addressed them locally and will publish a new version when all IESG reviews are available and addressed by us.
Best regards, Karsten On 01.11.2021 11:33, Julian Reschke via Datatracker wrote:
Good point. We changed the text to refer to application/x-www-form-urlencoded.Review is partially done. Another assignment may be needed to complete it. Reviewer: Julian Reschke Review result: Almost Ready (I have reviewed this with zero knowledge of OAuth, so additional review probably would be good) Major issues: 2.4 "Clients MUST compare the extracted and URL-decoded value to the issuer identifier of the authorization server where the authorization request was sent to." I'm not sure that "URL-decoded" is correct with respect to decoding query parameters. Consider URLs containing "+" or "=". You probably need the encoding rules for application/x-www-form-urlencoded instead.
Minor issues: References to registries should not be listed as normative.
+1 that was an editorial mistake. Fixed.
I am acutally not sure how to fix this. I removed the trailing dot (thanks for the hint) but when converting markdown to XML the section is not automatically recognized.Nits: Section links to external documents do not appear to be marked up as such (and use a trailing dot in the section number which they should not)
My markdown looks like this: The authorization response as specified in Section 4.1.2 of [@!RFC6749] The XML file like this:The authorization response as specified in Section 4.1.2 of <xref target="RFC6749"></xref>
Is there some example how to link the sections in external RFCs or should we create the links manually?
There are no Acks; so section 6 should be deleted (if there were acksm they should go into an unnumbered section at the end of the document)
We added missing Acks and moved them to the appendix.
-- Karsten Meyer zu Selhausen Senior IT Security Consultant Phone: +49 (0)234 / 54456499 Web: https://hackmanit.de | IT Security Consulting, Penetration Testing, Security Training Is your OAuth or OpenID Connect application vulnerable to mix-up attacks? Find out more on our blog: https://www.hackmanit.de/en/blog-en/132-how-to-protect-your-oauth-client-against-mix-up-attacks Hackmanit GmbH Universitätsstraße 60 (Exzenterhaus) 44789 Bochum Registergericht: Amtsgericht Bochum, HRB 14896 Geschäftsführer: Prof. Dr. Jörg Schwenk, Prof. Dr. Juraj Somorovsky, Dr. Christian Mainka, Prof. Dr. Marcus Niemietz
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
