Éric Vyncke has entered the following ballot position for draft-ietf-oauth-identity-chaining-14: No Objection
When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ for more information about how to handle DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-oauth-identity-chaining/ ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- Thanks for the work done in this document. I regret that the shepherd's write-up does not have real justifications for the intended publication status or for the number of authors. In section 2.5, should this rather be a "MUST" in `Authorization Servers SHOULD verify that the requested scopes are not higher privileged than the scopes of the presented subject_token` ? If "SHOULD" is kept, then please provide the additional guidance per https://datatracker.ietf.org/doc/statement-iesg-statement-on-clarifying-the-use-of-bcp-14-key-words/ The same issue in section 5.4, i.e., why not a "MUST NOT" in `The authorization server in trust domain B SHOULD NOT issue refresh tokens ` ? The same IESG statement also considers that BCP14 terms should not be used in appendix. Final regret for not using SVG graphics, but this is cosmetic. _______________________________________________ OAuth mailing list -- [email protected] To unsubscribe send an email to [email protected]
