Thanks, I concur.
Aaron

On Tue, Apr 15, 2025 at 10:19 PM Phil Hunt <phil.h...@yahoo.com> wrote:

> I concur
>
> Phil
>
> > On Apr 15, 2025, at 10:09 PM, Michael Jones <michael_b_jo...@hotmail.com>
> wrote:
> >
> > Thank you, Lynne.  Please record in
> https://www.rfc-editor.org/auth48/rfc9728 that I approve of the
> publication of the current draft as RFC 9728.
> >
> > Phil, Aaron, do you concur?
> >
> >                                Thanks all,
> >                                -- Mike
> >
> > -----Original Message-----
> > From: Lynne Bartholomew <lbartholo...@staff.rfc-editor.org>
> > Sent: Tuesday, April 15, 2025 10:33 AM
> > To: Michael Jones <michael_b_jo...@hotmail.com>
> > Cc: Aaron Parecki <aa...@parecki.com>; rfc-edi...@rfc-editor.org;
> phil.h...@yahoo.com; oauth-...@ietf.org; oauth-cha...@ietf.org;
> rifaat.s.i...@gmail.com; Deb Cooley <debcool...@gmail.com>;
> auth48archive@rfc-editor.org
> > Subject: Re: AUTH48: RFC-to-be 9728
> <draft-ietf-oauth-resource-metadata-13> for your review
> >
> > Hi, Mike.  Thanks for your replies!  We have updated this document per
> your notes below.
> >
> > Apologies for the missing space before the email address; thank you for
> catching that!
> >
> > We also removed the "<!-- [rfced] " comment.  (We'd left it in until the
> remaining part of the question was addressed, so that it wouldn't fall
> through the cracks.)
> >
> > The latest files are posted here.  Please refresh your browser:
> >
> >   https://www.rfc-editor.org/authors/rfc9728.txt
> >   https://www.rfc-editor.org/authors/rfc9728.pdf
> >   https://www.rfc-editor.org/authors/rfc9728.html
> >   https://www.rfc-editor.org/authors/rfc9728.xml
> >   https://www.rfc-editor.org/authors/rfc9728-diff.html
> >   https://www.rfc-editor.org/authors/rfc9728-rfcdiff.html (side by side)
> >   https://www.rfc-editor.org/authors/rfc9728-auth48diff.html
> >   https://www.rfc-editor.org/authors/rfc9728-auth48rfcdiff.html (side
> by side)
> >   https://www.rfc-editor.org/authors/rfc9728-lastdiff.html
> >   https://www.rfc-editor.org/authors/rfc9728-lastrfcdiff.html (side by
> side)
> >
> >   https://www.rfc-editor.org/authors/rfc9728-xmldiff1.html
> >   https://www.rfc-editor.org/authors/rfc9728-xmldiff2.html
> >
> > Thanks again!
> >
> > RFC Editor/lb
> >
> >
> >> On Apr 14, 2025, at 5:45 PM, Michael Jones <michael_b_jo...@hotmail.com>
> wrote:
> >>
> >> Aaron and talked about my WWW-Authenticate response suggestion, based
> on that conversation, we'd like to change what I wrote below on that topic.
> >>
> >> Rather, let's leave the example as it currently is:
> >>  HTTP/1.1 401 Unauthorized
> >>  WWW-Authenticate: Bearer resource_metadata=
> >>    "https://resource.example.com/.well-known/oauth-protected-resource";
> >>
> >> Also, we agree with this this suggestion that you made.  Please apply
> it.
> >>
> >> Change:
> >>         The HTTP status code and error string in the example response
> above
> >>         are defined by <xref target="RFC6750"/>.
> >> to:
> >>         The HTTP status code in the example response above
> >>         are defined by <xref target="RFC6750"/>.
> >>
> >> Aaron agrees with the rest of my suggestions.  We look forward
> reviewing the next iteration.
> >>
> >>                               Thanks again!
> >>                               -- Mike
> >>
> >> -----Original Message-----
> >> From: Michael Jones
> >> Sent: Monday, April 14, 2025 5:29 PM
> >> To: 'Lynne Bartholomew' <lbartholo...@staff.rfc-editor.org>; Aaron
> Parecki <aa...@parecki.com>
> >> Cc: 'rfc-edi...@rfc-editor.org' <rfc-edi...@rfc-editor.org>; '
> phil.h...@yahoo.com' <phil.h...@yahoo.com>; 'oauth-...@ietf.org' <
> oauth-...@ietf.org>; 'oauth-cha...@ietf.org' <oauth-cha...@ietf.org>; '
> rifaat.s.i...@gmail.com' <rifaat.s.i...@gmail.com>; 'Deb Cooley' <
> debcool...@gmail.com>; 'auth48archive@rfc-editor.org' <
> auth48archive@rfc-editor.org>
> >> Subject: RE: AUTH48: RFC-to-be 9728
> <draft-ietf-oauth-resource-metadata-13> for your review
> >>
> >> Resending including Aaron Parecki <aa...@parecki.com>, since
> apparently <aaron=40parecki....@dmarc.ietf.org> didn't reach him.
> >>
> >> -----Original Message-----
> >> From: Michael Jones
> >> Sent: Monday, April 14, 2025 2:55 PM
> >> To: Lynne Bartholomew <lbartholo...@staff.rfc-editor.org>; Aaron
> Parecki <aaron=40parecki....@dmarc.ietf.org>
> >> Cc: rfc-edi...@rfc-editor.org; phil.h...@yahoo.com; oauth-...@ietf.org;
> oauth-cha...@ietf.org; rifaat.s.i...@gmail.com; Deb Cooley <
> debcool...@gmail.com>; auth48archive@rfc-editor.org
> >> Subject: RE: AUTH48: RFC-to-be 9728
> <draft-ietf-oauth-resource-metadata-13> for your review
> >>
> >> Thanks, Lynne.  My responses to your questions are inline below,
> prefixed by "Mike>".
> >>
> >> Reading the auth48diff, I also noticed a missing space before the
> e-mail address in the text "Registration requests should be sent to<
> oauth-ext-rev...@ietf.org>".
> >>
> >>                               Thanks again!
> >>                               -- Mike
> >>
> >> -----Original Message-----
> >> From: Lynne Bartholomew <lbartholo...@staff.rfc-editor.org>
> >> Sent: Monday, April 14, 2025 1:35 PM
> >> To: Aaron Parecki <aaron=40parecki....@dmarc.ietf.org>
> >> Cc: rfc-edi...@rfc-editor.org; michael_b_jo...@hotmail.com;
> phil.h...@yahoo.com; oauth-...@ietf.org; oauth-cha...@ietf.org;
> rifaat.s.i...@gmail.com; Deb Cooley <debcool...@gmail.com>;
> auth48archive@rfc-editor.org
> >> Subject: Re: AUTH48: RFC-to-be 9728
> <draft-ietf-oauth-resource-metadata-13> for your review
> >>
> >> Hi, Aaron.
> >>
> >> Thank you for your replies to our questions!
> >>
> >> We have three follow-up items for you:
> >>
> >> * Regarding this question and your reply:
> >>
> >>>> 5) <!-- [rfced] Sections 1 and 2:  We had trouble determining what
> >>>> "for instance" refers to in these sentences.  For example, in the
> >>>> first sentence listed below, we do not see any mention of "jwks_uri"
> >>>> in [FAPI.MessageSigning] (although we see "jwks_uri"
> >>>> in Section 2 of this document as well as RFCs 7591, 7592, 8414, 8705,
> >>>> 8725, 9068, 9700, and 9701, but [FAPI.MessageSigning] does not
> >>>> mention any of these published RFCs, except for one mention of RFC
> >>>> 8705 ("This is outside of the scope of both [RFC8705] and the FAPI
> >>>> standards")).  Could these sentences be reworded to make them
> >>>> clearer?
> >>>>
> >>>> Original:
> >>>> These values may be
> >>>> used by other specifications, such as the jwks_uri used to publish
> >>>> public keys the resource server uses to sign resource responses, for
> >>>> instance, as described in [FAPI.MessageSigning].
> >>>> ...
> >>>> JSON array containing a list of the JWS [JWS] signing
> >>>>   algorithms (alg values) [JWA] supported by the protected resource
> >>>>   for signing resource responses, for instance, as described in
> >>>>   [FAPI.MessageSigning].
> >>>>
> >>>> Possibly:
> >>>> These values may be
> >>>> used by other specifications, such as the jwks_uri (see Section 2)
> >>>> used to publish public keys the resource server uses to sign
> >>>> resource responses, as described in [FAPI.MessageSigning].
> >>>> ...
> >>>> JSON array containing a list of the JWS [JWS] signing
> >>>>   algorithms (alg values) [JWA] supported by the protected resource
> >>>>   for signing resource responses - for instance, as described in
> >>>>   [FAPI.MessageSigning]. -->
> >>>>
> >>> Please use this wording, as we identified another ambiguity in the
> previous wording:
> >>>
> >>> These values, such as the <tt>jwks_uri</tt> (see Section 2), may be
> >>> used with other specifications; for example, the public keys published
> >>> in the <tt>jwks_uri</tt> can be used to verify the signed resource
> responses, as described in [FAPI.MessageSigning].
> >>
> >> We updated the "These values ..." sentence per your note.  How may we
> update the following?
> >>
> >>> JSON array containing a list of the JWS [JWS] signing
> >>>   algorithms (alg values) [JWA] supported by the protected resource
> >>>   for signing resource responses, for instance, as described in
> >>>   [FAPI.MessageSigning].
> >>
> >> Mike> I noticed that you already applied <tt> to the alg here (good).
> I think the text above is already fine.  Aaron?
> >>
> >> = = = = =
> >>
> >> * Regarding this question and your reply:
> >>
> >>>> 26) <!-- [rfced] Please review the "Inclusive Language" portion of
> >>>> the online Style Guide at
> >>>> <https://www/
> >>>> .rfc-editor.org%2Fstyleguide%2Fpart2%2F%23inclusive_language&data=05%
> >>>> 7C02%7C%7C03dd1f9970bf4841b6bd08dd7b93de50%7C84df9e7fe9f640afb435aaaa
> >>>> aaaaaaaa%7C1%7C0%7C638802597201581579%7CUnknown%7CTWFpbGZsb3d8eyJFbXB
> >>>> 0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIs
> >>>> IldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=RknoutA0DIyLk5oQFgLqFA7Faoi4nx%2B
> >>>> yISVZxRP0Xm8%3D&reserved=0>, and let us know if any changes are
> >>>> needed.  Updates of this nature typically result in more precise
> >>>> language, which is helpful for readers.
> >>>>
> >>>> For example, please consider whether the following should be updated:
> >>>>
> >>>> man-in-the-middle -->
> >>>
> >>> We believe “man-in-the-middle” can be removed from the sentence
> without affecting its meaning. Please do so.
> >>
> >>
> >> "man-in-the-middle" was used in both Section 7.3 and Section 7.6.  We
> removed both instances.  Please review, and let us know if either sentence
> should be clarified.  For example, in Section 7.3, is it correct to now
> refer to one form of attack instead of two?
> >>
> >> Not sure if it helps, but some authors have replaced
> "man-in-the-middle" with "on-path".
> >>
> >> Mike> Actually, let's replace both former uses of man-in-the-middle
> with adversary-in-the-middle, which apparently NIST is using.
> >>
> >> = = = = =
> >>
> >> * Regarding this update:
> >>
> >>> In this review, we also identified a mistake in an example. Please
> >>> update the example in Section 5.1 as described in this pull request:
> >>> https://githu/
> >>> b.com%2Foauth-wg%2Fdraft-ietf-oauth-resource-metadata%2Fpull%2F65%2Ffi
> >>> les&data=05%7C02%7C%7C03dd1f9970bf4841b6bd08dd7b93de50%7C84df9e7fe9f64
> >>> 0afb435aaaaaaaaaaaa%7C1%7C0%7C638802597201602007%7CUnknown%7CTWFpbGZsb
> >>> 3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjo
> >>> iTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=xCCE8Lb9ZtREL2DAZccrDG5NG
> >>> N7Ph0HQQinP0rCgV90%3D&reserved=0
> >>>
> >>> (Lines 892-895 replaced with the below)
> >>>
> >>> HTTP/1.1 401 Unauthorized
> >>> WWW-Authenticate: Bearer resource_metadata=
> >>
> >> Because the new "401" entry doesn't appear to include an error string,
> should the paragraph that follows it be removed?
> >>
> >> Mike> Actually, let's restore the "error" and "error_description"
> parameters, so that the entry becomes:
> >> HTTP/1.1 401 Unauthorized
> >> WWW-Authenticate: Bearer error="invalid_request",
> >> error_description="No access token was provided in this request",
> >> resource_metadata=
> >> "https://resource.example.com/.well-known/oauth-protected-resource";
> >>
> >> Currently:
> >>
> >> HTTP/1.1 401 Unauthorized
> >> WWW-Authenticate: Bearer resource_metadata=  "
> https://resource.example.com/.well-known/oauth-protected-resource";
> >>
> >> The HTTP status code and error string in the example response above
> are defined by [RFC6750].
> >>
> >> = = = = =
> >>
> >> The latest files are posted here.  Please refresh your browser:
> >>
> >>  https://www.rfc-editor.org/authors/rfc9728.txt
> >>  https://www.rfc-editor.org/authors/rfc9728.pdf
> >>  https://www.rfc-editor.org/authors/rfc9728.html
> >>  https://www.rfc-editor.org/authors/rfc9728.xml
> >>  https://www.rfc-editor.org/authors/rfc9728-diff.html
> >>  https://www.rfc-editor.org/authors/rfc9728-rfcdiff.html (side by side)
> >>  https://www.rfc-editor.org/authors/rfc9728-auth48diff.html
> >>  https://www.rfc-editor.org/authors/rfc9728-auth48rfcdiff.html (side
> by side)
> >>
> >>  https://www.rfc-editor.org/authors/rfc9728-xmldiff1.html
> >>  https://www.rfc-editor.org/authors/rfc9728-xmldiff2.html
> >>
> >> Thanks again!
> >>
> >> RFC Editor/lb
> >>
> >>
> >>>> On Apr 11, 2025, at 2:18 PM, Aaron Parecki <aaron=
> 40parecki....@dmarc.ietf.org> wrote:
> >>>
> >>>
> >>>
> >>>> On Wed, Apr 9, 2025 at 4:00 PM <rfc-edi...@rfc-editor.org> wrote:
> >>> Authors,
> >>>
> >>> While reviewing this document during AUTH48, please resolve (as
> >>> necessary) the following questions, which are also in the XML file.
> >>>
> >>> 1) <!-- [rfced] Section 1:  This sentence does not parse.  As it
> >>> appears that "then fetch" means "then the client fetches", may we
> >>> update as suggested below?
> >>>
> >>> Original:
> >>> In other cases, it may be
> >>> dynamically discovered; for example, a user could enter their email
> >>> address into an email client, the client could perform WebFinger
> >>> [RFC7033] discovery (in a manner related to the description in
> >>> Section 2 of "OpenID Connect Discovery 1.0" [OpenID.Discovery]) to
> >>> find the resource server, then fetch the resource server metadata to
> >>> find the authorization server to use to obtain authorization to
> >>> access the user's email.
> >>>
> >>> Suggested:
> >>> In
> >>> other cases, it may be dynamically discovered; for example, a user
> >>> could enter their email address into an email client, the client
> >>> could perform WebFinger discovery [RFC7033] (in a manner related to
> >>> the description in Section 2 of [OpenID.Discovery]) to find the
> >>> resource server, and the client could then fetch the resource server
> >>> metadata to find the authorization server to use to obtain
> >>> authorization to access the user's email. -->
> >>>
> >>> Agreed, thanks for the suggested text.
> >>>
> >>>
> >>> 2) <!-- [rfced] Section 1:  We changed "Software Statement" to
> >>> "software statement" per the text of RFC 7591 and changed "Dynamic
> >>> Client Registration" to "dynamic client registration" per RFCs 7591,
> >>> 9700, and 9701.  Please let us know any objections.
> >>>
> >>> Original:
> >>> This is
> >>> analogous to the role that the Software Statement plays in OAuth
> >>> Dynamic Client Registration [RFC7591].
> >>>
> >>> Currently:
> >>> This is
> >>> analogous to the role that the software statement plays in OAuth
> >>> dynamic client registration [RFC7591]. -->
> >>>
> >>> We agree with lowercase "software statement", but "Dynamic Client
> Registration" should be capitalized, as it's the name of RFC 7591.
> >>>
> >>>
> >>>
> >>> 3) <!-- [rfced] Section 1:  We had trouble parsing this sentence.  We
> >>> removed the comma before "but that" to clarify that "that" refers to
> >>> attacker-generated metadata and is not used as a noun.  If this update
> >>> is incorrect, please clarify what "but that" refers to.
> >>>
> >>> Original:
> >>> This prevents attackers from publishing metadata supposedly
> >>> describing the protected resource, but that is not actually
> >>> authoritative for the protected resource, as described in  Section
> >>> 7.3.
> >>>
> >>> Currently:
> >>> This prevents attackers from publishing metadata that supposedly
> >>> describes the protected resource but that is not actually
> >>> authoritative for the protected resource, as described in  Section
> >>> 7.3. -->
> >>>
> >>>
> >>> Agreed.
> >>>
> >>> 4) <!-- [rfced] Sections 1 and subsequent:  Please review and advise
> >>> regarding the usage of "<tt>" for certain values and parameters as
> >>> listed in the XML file for this document.  For example, we see
> >>> 2 instances of (OAuth 2.0) "<tt>scope</tt> values" and 1 instance of
> >>> "scope values".  Should usage be consistent?  Also, please review the
> >>> parameters listed in Sections 2 and 8.1.2; no <tt>s for parameters
> >>> listed in Section 2, but parameters listed in Section 8.1.2 (except
> >>> for "signed_metadata"; see below) are enclosed in <tt>s.
> >>>
> >>> A few more examples:
> >>> "alg values":  2 instances with <tt>, 2 without  GET ("<tt>GET</tt>
> >>> request" vs. "the GET")  <dt>Metadata
> >>> Name:</dt><dd>signed_metadata</dd> (Section 8.1.2)
> >>> (All other parameter names in Section 8.1.2 that follow
> >>> "Metadata Name: " are enclosed in <tt>s.) -->
> >>>
> >>>
> >>> We intend to call out parameter names with <tt>, but not use that
> markup when referring to the concept. So in the case of all 3 occurrences
> of "scope values", these are not referring to the parameter names so the
> <tt> should be removed.
> >>>
> >>> For "alg values", "alg" is a parameter name in JWT, so that should
> always be wrapped in <tt>.
> >>>
> >>> The instance of "the GET" should be corrected to "the <tt>GET</tt>
> request".
> >>>
> >>> "signed_metadata" is missing the <tt> wrapper as well.
> >>>
> >>>
> >>> 5) <!-- [rfced] Sections 1 and 2:  We had trouble determining what
> >>> "for instance" refers to in these sentences.  For example, in the
> >>> first sentence listed below, we do not see any mention of "jwks_uri"
> >>> in [FAPI.MessageSigning] (although we see "jwks_uri"
> >>> in Section 2 of this document as well as RFCs 7591, 7592, 8414, 8705,
> >>> 8725, 9068, 9700, and 9701, but [FAPI.MessageSigning] does not mention
> >>> any of these published RFCs, except for one mention of RFC 8705 ("This
> >>> is outside of the scope of both [RFC8705] and the FAPI standards")).
> >>> Could these sentences be reworded to make them clearer?
> >>>
> >>> Original:
> >>> These values may be
> >>> used by other specifications, such as the jwks_uri used to publish
> >>> public keys the resource server uses to sign resource responses, for
> >>> instance, as described in [FAPI.MessageSigning].
> >>> ...
> >>> JSON array containing a list of the JWS [JWS] signing
> >>>   algorithms (alg values) [JWA] supported by the protected resource
> >>>   for signing resource responses, for instance, as described in
> >>>   [FAPI.MessageSigning].
> >>>
> >>> Possibly:
> >>> These values may be
> >>> used by other specifications, such as the jwks_uri (see Section 2)
> >>> used to publish public keys the resource server uses to sign  resource
> >>> responses, as described in [FAPI.MessageSigning].
> >>> ...
> >>> JSON array containing a list of the JWS [JWS] signing
> >>>   algorithms (alg values) [JWA] supported by the protected resource
> >>>   for signing resource responses - for instance, as described in
> >>>   [FAPI.MessageSigning]. -->
> >>>
> >>> Please use this wording, as we identified another ambiguity in the
> previous wording:
> >>>
> >>> These values, such as the <tt>jwks_uri</tt> (see Section 2), may be
> >>> used with other specifications; for example, the public keys published
> >>> in the <tt>jwks_uri</tt> can be used to verify the signed resource
> responses, as described in [FAPI.MessageSigning].
> >>>
> >>>
> >>>
> >>> 6) <!-- [rfced] Section 1.1:  "uses of ... utilize", which also means
> >>> "uses of ... uses", read oddly.  We changed "uses of" to "applications
> >>> of".  Please let us know any objections.
> >>>
> >>> Original:
> >>> All uses of JSON Web Signature (JWS) [JWS] and JSON Web Encryption
> >>> (JWE) [JWE] data structures in this specification utilize the JWS
> >>> Compact Serialization or the JWE Compact Serialization; the JWS JSON
> >>> Serialization and the JWE JSON Serialization are not used.
> >>>
> >>> Currently:
> >>> All applications of JSON Web Signature (JWS) data structures [JWS]
> >>> and JSON Web Encryption (JWE) data structures [JWE] as discussed in
> >>> this specification utilize the JWS Compact Serialization or the JWE
> >>> Compact Serialization; the JWS JSON Serialization and the JWE JSON
> >>> Serialization are not used. -->
> >>>
> >>>
> >>> Agreed.
> >>>
> >>> 7) <!-- [rfced] Section 1.2:  This text says "This specification uses
> >>> the terms ...", but except for a few terms (e.g., "Client
> >>> Authentication" (only used in the title of Section 5.3), "Claim Name",
> >>> "Authorization Code"), we could not find any instances of the
> >>> following terms anywhere in the text:
> >>> Authorization Endpoint, Authorization Grant, Client Secret, Grant
> >>> Type, Redirection URI, Refresh Token, Resource Owner, Response Type,
> >>> Token Endpoint, and Claim Value.
> >>>
> >>> We see that this paragraph was taken from Section 1.2 of RFC 8414.
> >>> We also see similar paragraphs in several other post-6000 RFCs.
> >>>
> >>> The following terms are lowercased in text everywhere else in this
> >>> document.  Should we lowercase them in this list as well?
> >>>
> >>> Access Token, Authorization Server, Client, Client Identifier,
> >>> Protected Resource, and Resource Server
> >>>
> >>> We see that the terms listed as being from RFC 6749 are lowercased in
> >>> RFC 6749.  Lowercase versus uppercase for the terms listed as being in
> >>> [JWT] (RFC 7519) is mixed.
> >>>
> >>> If all of these terms are relevant to this document, should the text
> >>> be reworded to suggest that readers be familiar with them?  If not,
> >>> could this paragraph be (1) updated to tailor it to this document, as
> >>> was done in RFCs 9470 and 9700 or (2) removed?
> >>>
> >>> Original:
> >>> This specification uses the terms "Access Token", "Authorization
> >>> Code", "Authorization Endpoint", "Authorization Grant",
> >>> "Authorization Server", "Client", "Client Authentication", "Client
> >>> Identifier", "Client Secret", "Grant Type", "Protected Resource",
> >>> "Redirection URI", "Refresh Token", "Resource Owner", "Resource
> >>> Server", "Response Type", and "Token Endpoint" defined by OAuth 2.0
> >>> [RFC6749], the terms "Claim Name", "Claim Value", and "JSON Web Token
> >>> (JWT)" defined by JSON Web Token (JWT) [JWT]. -->
> >>>
> >>>
> >>> Yes, let's delete the terms we're not using, and use quoted lowercase
> terms so that it matches RFC 9449, RFC 9470, and RFC 9700.
> >>>
> >>> 8) <!-- [rfced] Sections 2 and 8.1.2:  We changed "Bearer Token" to
> >>> "bearer token" per RFC 6750.  Please let us know any objections.
> >>>
> >>> If no objections, we will ask IANA to change "Bearer Token" to "bearer
> >>> token" in the "OAuth Protected Resource Metadata" registry on
> >>> <https://www/.
> >>> iana.org%2Fassignments%2Foauth-parameters%2F&data=05%7C02%7C%7C03dd1f9970bf4841b6bd08dd7b93de50%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638802597201751463%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=TxUFf0ihhrrSSESPn1bY8RDg1hcRmB84Tur%2BvMqXgEg%3D&reserved=0>
> just prior to publication.
> >>>
> >>> Original:
> >>> JSON array containing a list of the supported methods
> >>>   of sending an OAuth 2.0 Bearer Token [RFC6750] to the protected
> >>>   resource.
> >>> ...
> >>> *  Metadata Description: JSON array containing a list of the OAuth
> >>>   2.0 Bearer Token presentation methods that this protected resource
> >>>   supports
> >>>
> >>> Currently:
> >>> JSON array containing a list of the supported methods
> >>>   of sending an OAuth 2.0 bearer token [RFC6750] to the protected
> >>>   resource.
> >>> ...
> >>> Metadata Description:  JSON array containing a list of the OAuth 2.0
> >>>   bearer token presentation methods that this protected resource
> >>>   supports -->
> >>>
> >>>
> >>> Agreed, when "bearer token" is referring to the type of token (rather
> than referring to RFC 6750) it should be lowercase.
> >>>
> >>> 9) <!-- [rfced] Section 2.2:  For ease of the reader, we provided a
> >>> brief explanation of the term "MACed" per RFC 7591.  Please let us
> >>> know any objections.
> >>>
> >>> Original:
> >>> The signed metadata MUST be
> >>> digitally signed or MACed using JSON Web Signature (JWS) [JWS] and
> >>> MUST contain an iss (issuer) claim denoting the party attesting to
> >>> the claims in the signed metadata.
> >>>
> >>> Currently:
> >>> The signed metadata MUST be
> >>> digitally signed or MACed (protected with a Message Authentication
> >>> Code) using a JSON Web Signature (JWS) [JWS] and MUST contain an iss
> >>> (issuer) claim denoting the party attesting to the claims in the
> >>> signed metadata. -->
> >>>
> >>>
> >>> Agreed.
> >>>
> >>> 10) <!-- [rfced] Please review the four sourcecode entries in this
> >>> document, and let us know if you would like to specify a type.
> >>> For example, should the first and second sourcecode items have the
> >>> type set to "http-message", and should the third and fourth sourcecode
> >>> items have the type set to "json"?  Please review and advise.
> >>>
> >>> If the current list of preferred values for "type"
> >>> (https://www/.
> >>> rfc-editor.org%2Frpc%2Fwiki%2Fdoku.php%3Fid%3Dsourcecode-types&data=05
> >>> %7C02%7C%7C03dd1f9970bf4841b6bd08dd7b93de50%7C84df9e7fe9f640afb435aaaa
> >>> aaaaaaaa%7C1%7C0%7C638802597201765076%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0
> >>> eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIl
> >>> dUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=S9rCSReF7kSe9klNsDq5cv8DrSHcch5VmNii
> >>> ZXlX7Lo%3D&reserved=0) does not contain an applicable type, please let
> >>> us know.  Also, it is acceptable to leave the "type" attribute unset.
> >>> -->
> >>>
> >>>
> >>> All should be set to type "http-message".
> >>>
> >>> 11) <!-- [rfced] Section 4:  Please confirm that "OAuth protected
> >>> resources for protected resources" is as intended.
> >>>
> >>> Original:
> >>> protected_resources
> >>>   OPTIONAL.  JSON array containing a list of resource identifiers
> >>>   for OAuth protected resources for protected resources that can be
> >>>   used with this authorization server. -->
> >>>
> >>>
> >>> That looks like a duplicate "for protected resources", please delete,
> so that it reads:
> >>>
> >>> protected_resources
> >>>   OPTIONAL.  JSON array containing a list of resource identifiers
> >>>   for OAuth protected resources that can be
> >>>   used with this authorization server.
> >>>
> >>> 12) <!-- [rfced] Figure 1:  We see that the bottom set of boxes for
> >>> "Client", "Resource Server", and "Authorization Server" appear in the
> >>> SVG but not the ASCII art.  Please update so that the ASCII art and
> >>> the SVG match.
> >>> -->
> >>>
> >>>
> >>> Thanks for flagging the inconsistency. Please add this to the bottom
> of the diagram:
> >>>
> >>>    +----+-----+              +----+-----+    +-------+-------+
> >>>    |  Client  |              | Resource |    | Authorization |
> >>>    |          |              |  Server  |    |    Server     |
> >>>    +----------+              +----------+    +---------------+
> >>>
> >>> 13) <!-- [rfced] Section 5:  The descriptive text regarding the steps
> >>> shown in Figure 1 doesn't seem to align with the steps shown in Figure
> >>> 1:
> >>>
> >>> In Figure 1:
> >>> Step 5 is "Validate ..." and "... Build ..."
> >>> Step 6 is "Fetch ..."
> >>>
> >>> In the text:
> >>> Step 5 is "... validates ..."
> >>> Step 6 is "... builds ..." and "... makes a request to fetch ..."
> >>>
> >>> May we update the descriptive text as suggested below?
> >>>
> >>> Original:
> >>> | 5. Validate RS Metadata |         |                  |
> >>> | Build AS Metadata URL   |         |                  |
> >>> ...
> >>>          |   6. Fetch AS Metadata  |                  |
> >>> ...
> >>> 5.   The client validates the protected resource metadata, as
> >>>     described in Section 3.3.
> >>>
> >>> 6.   The client builds the authorization server metadata URL from an
> >>>     issuer identifier in the resource metadata according to
> >>>     [RFC8414] and makes a request to fetch the authorization server
> >>>     metadata.
> >>>
> >>> Suggested (easier to change the text than the figure):
> >>> 5.   The client validates the protected resource metadata, as
> >>>     described in Section 3.3, and builds the authorization server
> >>>     metadata URL from an issuer identifier in the resource metadata
> >>>     according to [RFC8414].
> >>>
> >>> 6.   The client makes a request to fetch the authorization server
> >>>     metadata. -->
> >>>
> >>>
> >>> Thanks.
> >>>
> >>> 14) <!-- [rfced] Section 5.3:  Does "scenarios where" also apply to
> >>> the text after "and", or is the text after "and" a separate thought?
> >>> If the former, may we update as suggested?
> >>>
> >>> Original:
> >>> This specification is intended to be deployed in scenarios where the
> >>> client has no prior knowledge about the resource server, and the
> >>> resource server might or might not have prior knowledge about the
> >>> client.
> >>>
> >>> Suggested:
> >>> This specification is intended to be deployed in scenarios where the
> >>> client has no prior knowledge about the resource server and where  the
> >>> resource server might or might not have prior knowledge about  the
> >>> client. -->
> >>>
> >>> Looks good.
> >>>
> >>> 15) <!-- [rfced] Section 6:  "such as resource" looked odd in the text
> >>> output, so we placed "resource" in quotes per 'The name requested
> >>> (e.g., "resource")' in Section 8.1.1.  Please let us know any
> >>> objections.
> >>>
> >>> Original:
> >>> For example, the member names in the
> >>> metadata response might be compared to specific member names such as
> >>> resource.
> >>>
> >>> Currently:
> >>> For example, the member names in the
> >>> metadata response might be compared to specific member names such as
> >>> "resource". -->
> >>>
> >>>
> >>> We should use <tt>resource</tt> for consistency, since this is
> actually a parameter name.
> >>>
> >>> 16) <!-- [rfced] Section 7.6:  We had trouble determining what "or
> >>> which could be published" refers to.  If the suggested text is not
> >>> correct, please clarify.
> >>>
> >>> Original:
> >>> For
> >>> instance, some protected resources are used with a fixed
> >>> authorization server or set of authorization servers, the locations
> >>> of which may be well known, or which could be published as metadata
> >>> values by the protected resource.
> >>>
> >>> Suggested (guessing that the location information could be published):
> >>> For
> >>> instance, some protected resources are used with a fixed
> >>> authorization server or set of authorization servers, the locations
> >>> of which may be well known or could be published by the protected
> >>> resource as metadata values. -->
> >>>
> >>>
> >>> Maybe we can make this even more explicit by separating it into
> multiple sentences:
> >>>
> >>> For instance, some protected resources are used with a fixed
> authorization server or a set of authorization servers, the locations of
> which may be known via out-of-band mechanisms. Alternatively, as described
> in this specification, the locations of the authorization servers could be
> published by the protected resource as metadata values.
> >>>
> >>> 17) <!-- [rfced] Section 7.9:  We see "PKIX" mentioned in RFC 9525 but
> >>> not standalone "PKI".  Would you prefer to mention "PKIX" instead of
> >>> "PKI" here?
> >>>
> >>> Original:
> >>> This means that its security is dependent upon  the Internet Public
> >>> Key Infrastructure (PKI) [RFC9525].
> >>>
> >>> Possibly:
> >>> This means that its security is dependent  upon the Internet Public
> >>> Key Infrastructure using X.509 (PKIX)  [RFC9525]. -->
> >>>
> >>>
> >>> Please use:
> >>>
> >>> This means that its security is dependent upon the Internet Public Key
> >>> Infrastructure using X.509 (PKIX), as described in [RFC9525].
> >>>
> >>> 18) <!-- [rfced] Section 7.10:  RFC 7234 has been obsoleted by RFC
> 9111.
> >>> Because we see "Cache-Control" and "max-age" discussed in RFC 9111 as
> >>> well, we updated the RFC number accordingly.  Please let us know any
> >>> objections.
> >>>
> >>> Original ("utlize" has been fixed):
> >>> Implementations should utlize HTTP
> >>> caching directives such as Cache-Control with max-age, as defined in
> >>> [RFC7234], to enable caching of retrieved metadata for appropriate
> >>> time periods.
> >>> ...
> >>> [RFC7234]  Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke,
> >>>           Ed., "Hypertext Transfer Protocol (HTTP/1.1): Caching",
> >>>           RFC 7234, DOI 10.17487/RFC7234, June 2014,
> >>>           <https://www.rfc-editor.org/info/rfc7234>.
> >>>
> >>> Currently:
> >>> Implementations should utilize HTTP
> >>> caching directives such as Cache-Control with max-age, as defined in
> >>> [RFC9111], to enable caching of retrieved metadata for appropriate
> >>> time periods.
> >>> ...
> >>> [RFC9111]  Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke,
> >>>           Ed., "HTTP Caching", STD 98, RFC 9111,
> >>>           DOI 10.17487/RFC9111, June 2022,
> >>>
> >>> <https://www/.
> >>> rfc-editor.org%2Finfo%2Frfc9111&data=05%7C02%7C%7C03dd1f9970bf4841b6bd
> >>> 08dd7b93de50%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638802597201
> >>> 789879%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDA
> >>> wMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sda
> >>> ta=jbOe9nWAwJvXV8bxH1ONAMS9qvNk%2BLvMrFz0%2FHYST%2B4%3D&reserved=0>.
> >>> -->
> >>>
> >>>
> >>> Agreed.
> >>>
> >>> 19) <!-- [rfced] We have removed this first paragraph, as it seems
> unnecessary.  Please review.
> >>>
> >>> Original:
> >>>  The following registration procedure is used for the registry
> >>>  established by this specification.
> >>> -->
> >>>
> >>>
> >>> Ok.
> >>>
> >>> 20) <!-- [rfced] To clarify the text, please consider the following
> >>> update.  Currently, it is unclear whether mail sent to the list
> >>> initiates review or if it is where the expert sends the comments.
> >>> In addition, does the text need to mention Designated Experts, because
> >>> Expert Review is already part of Specification Required?
> >>>
> >>> Original:
> >>>  Values are registered on a Specification Required [RFC8126] basis
> >>>  after a two-week review period on the oauth-ext-rev...@ietf.org
> >>>  mailing list, on the advice of one or more Designated Experts.
> >>>
> >>> Perhaps:
> >>>  Values are registered per Specification Required [RFC8126].
> >>>  Registration requests should be sent to <oauth-ext-rev...@ietf.org>
> >>>  to initiate a two-week review period.
> >>> -->
> >>>
> >>> We don’t intend there to be anything unique to this spec with regards
> to the review process. Any corrections here are acceptable.
> >>>
> >>> 21) <!-- [rfced] Note that we have updated the text as follows based
> >>> on discussion with IANA.  Please let us know if you have concerns.
> >>>
> >>> Original:
> >>>  The IANA escalation process is followed when the designated experts
> >>>  are not responsive within 14 days.
> >>>
> >>> Current:
> >>>  If the designated experts are not responsive, the registration
> requesters
> >>>  should contact IANA to escalate the process.
> >>> -->
> >>>
> >>> Looks good.
> >>>
> >>> 22) <!-- [rfced] For clarity, please consider whether "makes sense"
> >>> should be "is clear and fits the purpose of the registry"?  In
> >>> addition, we suggest stating the criteria clearly (i.e., is the
> >>> designated expert supposed to approve or not approve proposals that
> duplicate functionality).
> >>>
> >>> Original:
> >>>  Criteria that should be applied by the Designated Experts includes
> >>>  determining whether the proposed registration duplicates existing
> >>>  functionality, whether it is likely to be of general
> >>>  applicability or is useful only for a single application,
> >>>  and whether the registration makes sense.
> >>>
> >>> Perhaps:
> >>>  Designated experts should apply the following criteria when reviewing
> >>>  proposed registrations: they must be unique, that is, they should not
> >>>  duplicate existing functionality; they are likely generally
> applicable,
> >>>  as opposed to being used for a single application; and they are clear
> >>>  and fit the purpose of the registry.
> >>> -->
> >>>
> >>> Agreed.
> >>>
> >>> 23) <!-- [rfced] This sentence is tough to parse.  Please consider the
> >>> following update for clarity.
> >>>
> >>> Original:
> >>>  The reason to allow the Designated Experts to allocate values prior
> >>>  to publication as a final specification is to enable giving authors
> >>>  of specifications proposing registrations the benefit of review by
> >>>  the Designated Experts before the specification is completely done,
> >>>  so that if problems are identified, the authors can iterate and fix
> >>>  them before publication of the final specification.
> >>>
> >>> Perhaps:
> >>>  Designated experts may allocate values prior to publication of the
> >>>  final specification.  This allows authors to receive guidance from
> >>>  the designated experts early, so any identified issues can be fixed
> >>>  before the final specification is published.
> >>> -->
> >>>
> >>> Looks good.
> >>>
> >>> 24) <!-- [rfced] [USA15] Do you want to specifically refer to the 2015
> version of the standard, or do you want to refer to the most current
> version?  Currently, we have updated this reference listing to primarily
> refer to the 2015 version, and we have included a second link to the curent
> version.  Please review.
> >>>
> >>> Original:
> >>> [USA15]    Davis, M. and K. Whistler, "Unicode Normalization Forms",
> >>>           Unicode Standard Annex 15, 1 June 2015,
> >>>           <https://www.unicode.org/reports/tr15/>.
> >>>
> >>> Currently:
> >>> [USA15]    Davis, M., Ed. and K. Whistler, Ed., "Unicode
> >>>           Normalization Forms", Unicode Standard Annex #15, 1 June
> >>>           2015, <https://www.unicode.org/reports/tr15/tr15-43.html>.
> >>>           Latest version available at
> >>>
> >>> <https://www/.
> >>> unicode.org%2Freports%2Ftr15%2F&data=05%7C02%7C%7C03dd1f9970bf4841b6bd
> >>> 08dd7b93de50%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638802597201
> >>> 825678%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDA
> >>> wMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sda
> >>> ta=xcb4024eQ2zzXVIndtE2I77t6c%2F8IkfM%2FWVwdy4VOq4%3D&reserved=0>. -->
> >>>
> >>> The most current version would be best.
> >>>
> >>> 25) <!-- [rfced] Acknowledgements:  We found that all names were
> >>> listed in alphabetical order by last name, except for Gabriel Corona.
> >>> We moved Gabriel's name so that it appears after Deb Cooley's name
> >>> instead of Roman Danyliw's name.  Please let us know any objections.
> >>>
> >>> Original:
> >>> We would would also like to thank Amanda  Baber, Mike Bishop, Ralph
> >>> Bragg, Brian Campbell, Deb Cooley, Roman  Danyliw, Gabriel Corona,
> >>> Vladimir Dzhuvinov, George Fletcher, Arnt  Gulbrandsen, Pieter
> >>> Kasselman, Murray Kucherawy, David Mandelberg,  Tony Nadalin,
> >>> Francesca Palombini, John Scudder, Rifaat Shekh-Yusef,  Filip Skokan,
> >>> Orie Steele, Atul Tulshibagwale, Éric Vyncke, Paul  Wouters, and Bo Wu
> >>> for their contributions to the specification.
> >>>
> >>> Currently ("would would" has been fixed):
> >>> We would also like to thank Amanda Baber,  Mike Bishop, Ralph Bragg,
> >>> Brian Campbell, Deb Cooley, Gabriel Corona,  Roman Danyliw, Vladimir
> >>> Dzhuvinov, George Fletcher, Arnt Gulbrandsen,  Pieter Kasselman,
> >>> Murray Kucherawy, David Mandelberg, Tony Nadalin,  Francesca
> >>> Palombini, John Scudder, Rifaat Shekh-Yusef, Filip Skokan,  Orie
> >>> Steele, Atul Tulshibagwale, Éric Vyncke, Paul Wouters, and Bo Wu  for
> >>> their contributions to the specification. -->
> >>>
> >>> Looks good, thanks.
> >>>
> >>> 26) <!-- [rfced] Please review the "Inclusive Language" portion of the
> >>> online Style Guide at
> >>> <https://www/.
> >>> rfc-editor.org%2Fstyleguide%2Fpart2%2F%23inclusive_language&data=05%7C
> >>> 02%7C%7C03dd1f9970bf4841b6bd08dd7b93de50%7C84df9e7fe9f640afb435aaaaaaa
> >>> aaaaa%7C1%7C0%7C638802597201839021%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1
> >>> hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUI
> >>> joyfQ%3D%3D%7C0%7C%7C%7C&sdata=KsZYR8dDQ8LdpDmxMVzjY%2FluS3GqJk%2B8wLD
> >>> h1Lx7C3c%3D&reserved=0>, and let us know if any changes are needed.
> >>> Updates of this nature typically result in more precise language,
> >>> which is helpful for readers.
> >>>
> >>> For example, please consider whether the following should be updated:
> >>>
> >>> man-in-the-middle -->
> >>>
> >>> We believe “man-in-the-middle” can be removed from the sentence
> without affecting its meaning. Please do so.
> >>>
> >>> 27) <!-- [rfced] The following terms were used inconsistently in this
> >>> document.  We chose to use the latter forms.  Please let us know any
> >>> objections.
> >>>
> >>> Protected resource (1 instance) ("The Protected resource's") /
> >>>  protected resource (108 instances)
> >>>
> >>> Resource Identifier (1 instance in text) ("The protected resource's
> >>>  Resource Identifier") / resource identifier (19 instances in text)
> >>>  ("The protected resource's resource identifier") -->
> >>>
> >>> Agreed.
> >>>
> >>> Thank you.
> >>>
> >>> RFC Editor
> >>>
> >>>
> >>> In this review, we also identified a mistake in an example. Please
> >>> update the example in Section 5.1 as described in this pull request:
> >>> https://githu/
> >>> b.com%2Foauth-wg%2Fdraft-ietf-oauth-resource-metadata%2Fpull%2F65%2Ffi
> >>> les&data=05%7C02%7C%7C03dd1f9970bf4841b6bd08dd7b93de50%7C84df9e7fe9f64
> >>> 0afb435aaaaaaaaaaaa%7C1%7C0%7C638802597201853214%7CUnknown%7CTWFpbGZsb
> >>> 3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjo
> >>> iTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=h2wdn1pfYeI05m%2FpTa%2Fdd
> >>> KkYl4UmkGUal9%2FGSqmf5t8%3D&reserved=0
> >>>
> >>> (Lines 892-895 replaced with the below)
> >>>
> >>> HTTP/1.1 401 Unauthorized
> >>> WWW-Authenticate: Bearer resource_metadata=
> >>>
> >>> Thanks for the thorough review.
> >>>
> >>>
> >>>> On Apr 9, 2025, at 3:52 PM, rfc-edi...@rfc-editor.org wrote:
> >>>
> >>> *****IMPORTANT*****
> >>>
> >>> Updated 2025/04/09
> >>>
> >>> RFC Author(s):
> >>> --------------
> >>>
> >>> Instructions for Completing AUTH48
> >>>
> >>> Your document has now entered AUTH48.  Once it has been reviewed and
> >>> approved by you and all coauthors, it will be published as an RFC.
> >>> If an author is no longer available, there are several remedies
> >>> available as listed in the FAQ (https://www.rfc-editor.org/faq/).
> >>>
> >>> You and you coauthors are responsible for engaging other parties
> >>> (e.g., Contributors or Working Group) as necessary before providing
> >>> your approval.
> >>>
> >>> Planning your review
> >>> ---------------------
> >>>
> >>> Please review the following aspects of your document:
> >>>
> >>> *  RFC Editor questions
> >>>
> >>>  Please review and resolve any questions raised by the RFC Editor
> >>>  that have been included in the XML file as comments marked as
> >>>  follows:
> >>>
> >>>  <!-- [rfced] ... -->
> >>>
> >>>  These questions will also be sent in a subsequent email.
> >>>
> >>> *  Changes submitted by coauthors
> >>>
> >>>  Please ensure that you review any changes submitted by your
> >>>  coauthors.  We assume that if you do not speak up that you
> >>>  agree to changes submitted by your coauthors.
> >>>
> >>> *  Content
> >>>
> >>>  Please review the full content of the document, as this cannot
> >>>  change once the RFC is published.  Please pay particular attention to:
> >>>  - IANA considerations updates (if applicable)
> >>>  - contact information
> >>>  - references
> >>>
> >>> *  Copyright notices and legends
> >>>
> >>>  Please review the copyright notice and legends as defined in
> >>>  RFC 5378 and the Trust Legal Provisions
> >>>  (TLP – https://trustee.ietf.org/license-info).
> >>>
> >>> *  Semantic markup
> >>>
> >>>  Please review the markup in the XML file to ensure that elements of
> >>>  content are correctly tagged.  For example, ensure that <sourcecode>
> >>>  and <artwork> are set correctly.  See details at
> >>>  <https://authors.ietf.org/rfcxml-vocabulary>.
> >>>
> >>> *  Formatted output
> >>>
> >>>  Please review the PDF, HTML, and TXT files to ensure that the
> >>>  formatted output, as generated from the markup in the XML file, is
> >>>  reasonable.  Please note that the TXT will have formatting
> >>>  limitations compared to the PDF and HTML.
> >>>
> >>>
> >>> Submitting changes
> >>> ------------------
> >>>
> >>> To submit changes, please reply to this email using ‘REPLY ALL’ as all
> >>> the parties CCed on this message need to see your changes. The parties
> >>> include:
> >>>
> >>>  *  your coauthors
> >>>
> >>>  *  rfc-edi...@rfc-editor.org (the RPC team)
> >>>
> >>>  *  other document participants, depending on the stream (e.g.,
> >>>     IETF Stream participants are your working group chairs, the
> >>>     responsible ADs, and the document shepherd).
> >>>
> >>>  *  auth48archive@rfc-editor.org, which is a new archival mailing list
> >>>     to preserve AUTH48 conversations; it is not an active discussion
> >>>     list:
> >>>
> >>>    *  More info:
> >>>
> >>> https://maila/
> >>> rchive.ietf.org%2Farch%2Fmsg%2Fietf-announce%2Fyb6lpIGh-4Q9l2USxIAe6P8
> >>> O4Zc&data=05%7C02%7C%7C03dd1f9970bf4841b6bd08dd7b93de50%7C84df9e7fe9f6
> >>> 40afb435aaaaaaaaaaaa%7C1%7C0%7C638802597201902963%7CUnknown%7CTWFpbGZs
> >>> b3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIj
> >>> oiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=lQRqElj9UJPcPJtqZWyrg8%2
> >>> B18k1zyFYb5ozmWaYbZsI%3D&reserved=0
> >>>
> >>>    *  The archive itself:
> >>>
> >>> https://maila/
> >>> rchive.ietf.org%2Farch%2Fbrowse%2Fauth48archive%2F&data=05%7C02%7C%7C0
> >>> 3dd1f9970bf4841b6bd08dd7b93de50%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1
> >>> %7C0%7C638802597201915095%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRy
> >>> dWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%
> >>> 3D%7C0%7C%7C%7C&sdata=KRO4R3sNId6bw1CzSK1bifBXgLRoiV3Ga6j2e9E44wU%3D&r
> >>> eserved=0
> >>>
> >>>    *  Note: If only absolutely necessary, you may temporarily opt out
> >>>       of the archiving of messages (e.g., to discuss a sensitive
> matter).
> >>>       If needed, please add a note at the top of the message that you
> >>>       have dropped the address. When the discussion is concluded,
> >>>       auth48archive@rfc-editor.org will be re-added to the CC list and
> >>>       its addition will be noted at the top of the message.
> >>>
> >>> You may submit your changes in one of two ways:
> >>>
> >>> An update to the provided XML file
> >>> — OR —
> >>> An explicit list of changes in this format
> >>>
> >>> Section # (or indicate Global)
> >>>
> >>> OLD:
> >>> old text
> >>>
> >>> NEW:
> >>> new text
> >>>
> >>> You do not need to reply with both an updated XML file and an explicit
> >>> list of changes, as either form is sufficient.
> >>>
> >>> We will ask a stream manager to review and approve any changes that
> >>> seem beyond editorial in nature, e.g., addition of new text, deletion
> >>> of text, and technical changes.  Information about stream managers can
> >>> be found in the FAQ.  Editorial changes do not require approval from a
> stream manager.
> >>>
> >>>
> >>> Approving for publication
> >>> --------------------------
> >>>
> >>> To approve your RFC for publication, please reply to this email
> >>> stating that you approve this RFC for publication.  Please use ‘REPLY
> >>> ALL’, as all the parties CCed on this message need to see your
> approval.
> >>>
> >>>
> >>> Files
> >>> -----
> >>>
> >>> The files are available here:
> >>>  https://www.rfc-editor.org/authors/rfc9728.xml
> >>>  https://www.rfc-editor.org/authors/rfc9728.html
> >>>  https://www.rfc-editor.org/authors/rfc9728.pdf
> >>>
> >>> https://www.r/
> >>> fc-editor.org%2Fauthors%2Frfc9728.txt&data=05%7C02%7C%7C03dd1f9970bf48
> >>> 41b6bd08dd7b93de50%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638802
> >>> 597201962079%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwL
> >>> jAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%
> >>> 7C&sdata=9WtF%2BkNgKaleZydYZrgA4OGQBeI7lQcR0SYHqUeEadI%3D&reserved=0
> >>>
> >>> Diff file of the text:
> >>>  https://www.rfc-editor.org/authors/rfc9728-diff.html
> >>>
> >>> https://www.r/
> >>> fc-editor.org%2Fauthors%2Frfc9728-rfcdiff.html&data=05%7C02%7C%7C03dd1
> >>> f9970bf4841b6bd08dd7b93de50%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0
> >>> %7C638802597201984827%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUs
> >>> IlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7
> >>> C0%7C%7C%7C&sdata=Vx0krnpprmj8G98K8gkAVVIrCwfgUGuNwoGcQfiO3KY%3D&reser
> >>> ved=0 (side by side)
> >>>
> >>> Diff of the XML:
> >>>
> >>> https://www.r/
> >>> fc-editor.org%2Fauthors%2Frfc9728-xmldiff1.html&data=05%7C02%7C%7C03dd
> >>> 1f9970bf4841b6bd08dd7b93de50%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C
> >>> 0%7C638802597201998456%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWU
> >>> sIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%
> >>> 7C0%7C%7C%7C&sdata=4oGXGo%2FBy1DegNnuw20yVy%2BTeGHs2Y3ntOZej%2FXqfO4%3
> >>> D&reserved=0
> >>>
> >>>
> >>> Tracking progress
> >>> -----------------
> >>>
> >>> The details of the AUTH48 status of your document are here:
> >>>
> >>> https://www.r/
> >>> fc-editor.org%2Fauth48%2Frfc9728&data=05%7C02%7C%7C03dd1f9970bf4841b6b
> >>> d08dd7b93de50%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C63880259720
> >>> 2010697%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMD
> >>> AwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sd
> >>> ata=EncU0stsHS%2Bra2SNhCMyi7I%2FzMqt328rQmQ%2BymJRLkM%3D&reserved=0
> >>>
> >>> Please let us know if you have any questions.
> >>>
> >>> Thank you for your cooperation,
> >>>
> >>> RFC Editor
> >>>
> >>> --------------------------------------
> >>> RFC 9728 (draft-ietf-oauth-resource-metadata-13)
> >>>
> >>> Title            : OAuth 2.0 Protected Resource Metadata
> >>> Author(s)        : M.B. Jones, P. Hunt, A. Parecki
> >>> WG Chair(s)      : Hannes Tschofenig, Rifaat Shekh-Yusef
> >>> Area Director(s) : Deb Cooley, Paul Wouters
> >>>
> >>>
> >>
> >
>
>
-- 
auth48archive mailing list -- auth48archive@rfc-editor.org
To unsubscribe send an email to auth48archive-le...@rfc-editor.org

Reply via email to