Hello, I just reviewed draft-ietf-oauth-jwsreq, and it looks great and seems to be a nice addition to help with security. Thanks for your work on it.
I only have a few comments. The first is just about some wording that is awkward in the TLS section. What's there now: Client implementations supporting the Request Object URI method MUST support TLS as recommended in Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS) [RFC7525]. How about: Client implementations supporting the Request Object URI method MUST support TLS following Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS) [RFC7525]. Not a major change and just editorial, so take it or leave it. 2. In section 10, the introduction sentence leaves me wondering where the additional attacks against OAuth 2.0 should also have a pointer in this sentence: In addition to the all the security considerations discussed in OAuth 2.0 [RFC6819], the following security considerations should be taken into account. 3. Nit: in first line of 10.4: Although this specification does not require them, researchs s/researchs/researchers/ 4. I'm sure you'll be asked about the following: ISO/IEC 29100 [ISO29100] is a freely accessible International Standard and its Privacy Principles are good to follow. What about the IETF privacy considerations for protocols, RFC6973, were they also considered? I think you are covering what's needed, but no mention of it and favoring an ISO standard seems odd., using both is fine. Thank you. -- Best regards, Kathleen
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
