Based on where I currently am, here is another review of the document. 1. In section 4 for Figure one: Is the term "RS Information" your term or an OAuth term. When I see this I think of it as information for not about the RS which I do not believe is the intent.
2. In section 5.1 - I am unclear what the second paragraph is supposed to be doing here. I think that you want state this different. Rather than talking about the "desired resource" you may want to talk about the AS. That would better match the title of the section. 3. In section 5.1 - There is a note in this section that does not seem to be extremely useful. Where is this discussion go on? Is it still going on? I am not even sure if the statement about a common understanding of time is correct? It seems that one can either add or not add the nonce as an RS depending on if you think you understand a common time. 4. In section 5.3 - There is a reference to I-D.erdtman-ace-rpcc. Given the use of POP tokens, what is the reason for this draft and the text about client credential types? (Put it this way. I did not need to implement this for anything yet. Why is it here?) Given 15 different introspection tokens, how do I decide which is the one to present to the AS - enumerate them? 'authorization code' vs 'decode code' grants _______________________________________________ Ace mailing list [email protected] https://www.ietf.org/mailman/listinfo/ace
