Hi! I performed an AD review of draft-ietf-oauth-iss-auth-resp-02. Thanks for documenting this mitigation.
The document is in good shape so I am advancing it to IETF LC. Please treat these minor comments as part of that feedback: ** Section 2.4. Editorial. The decision of whether to accept such responses is individual for every scenario and it is not in the scope of this specification. Would it be more clear to say: "Local policy or configuration can determine whether to accept such responses and specific guidance is out of scope for this specification." There is also similar language in the next paragraph. ** Section 5.1 and 5.2. Per the "Change Control" field, please s/IESG/IETF/ Thanks, Roman _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
