[OAUTH-WG] Genart last call review of draft-ietf-oauth-jwsreq-30

Reviewer: Joel Halpern Review result: Ready I am the assigned Gen-ART reviewer for this draft. The General Area Review Team (Gen-ART) reviews all IETF documents being processed by the IESG for the IETF Chair. Please treat these comments just like any other last call comments. For more

Re: [OAUTH-WG] [JAR] scope parameter outside request object of OIDC request

Hi Vladimir, Just FYI. To be exact, FAPI (version 1) Part 1 (Read-Only) does not require all request parameters be put duplicately in a request object. It is FAPI (version 1) Part 2 (Read-Write) (Section 5.2.2

Re: [OAUTH-WG] [JAR] scope parameter outside request object of OIDC request

Hi Taka, Speaking of the OIDC Core 1.0 conformance tests, IMO those should not change with the publication of JAR. Speaking of the FAPI 1.0 tests, those already require all request parameters to be JWT-secured, which makes the requests also JAR compliant: all parameters are found in the JWT,

Re: [OAUTH-WG] New podcast on identity specifications

Hello  Brian, The text was not mentioning explicitly draft-ietf-oauth-dpop-01. While re-reading the text, it only appears in a link. I am NOT arguing that collaborationattacks are something that DPoP is expected to address. I am arguing that DPoP should mention in its Security Considerations