As part of the preparation for the shepherd write-up, I reviewed the document and have the following comments:
https://www.ietf.org/archive/id/draft-ietf-oauth-security-topics-19.html General comment The document refers to a number of drafts that are not active anymore, e.g., token binding, pop key distribution, signing http requests, etc. What is the reason behind including these in this document? Section 4.5.4 I am not clear on how the attacker can do that. Let’s take the code_challenge example. Wouldn’t the AS be able to detect this attack because it gets the *code verifier* associated with the *original code challenge* from the Client? Nits Section 2.1, 3rd paragraph, 3rd sentence: “MAY rely the” to “, MAY rely on the” Section 2.3, second paragraph: replace ietf-oauth-resource-indicators with RFC8707 Section 4.1.3. Last paragraph: replace the jwsreq and PAR draft references with rfc9101 and rfc9126 respectively. Who might want to sweep through the document and update the various references, as there seem to be too many old references Regards, Rifaat
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
