Hi Thanks for a great document. I have some minor comments.
in Abstract “...based on either single certificates...” Why not write self-signed certificates, to me that is easier to understand, and is the term that is used later in the document. What is the rational behind writing “OAuth protected resources” or just “a protected resource” instead of resource server? The term resource server is user later in the document. 4.1. Authorization Server Is it not mandatory for the AS to not do PKI validation of self signed certificates i.e. the following sentence, “it should configure the TLS stack in a way”, should be changed to “it must configure the TLS stack in a way”? Finally it might make sense to mention the relation of this document to RFC7521, RFC7522 and RFC7523. RFC7521 defines a client credentials framework and the other two are examples of profiles. It also mentions proof-of-possession. Maybe as an appendix similar to "Relationship to Token Binding" Best regards //Samuel
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
