A few things caught my eye in this document: - Section 4.1 defines the DPoP header field as a JWT, which (as I understand it) is a base64-encoded string. If that's the case, I'd recommend making it a Structured Field Item (see RFC8941 s 3.3) with a fixed type of Byte Sequence (s 3.3.5). That will require changing the syntax to add a prefix and suffix of ":".
- The DPoP-Nonce header field's syntax isn't obviously specified. It should be. I'd suggest a Structured Field Item with a fixed type of String (RFC 8941 s 3.3.3), which would surrounding the value with quotes. - Neither header has interoperable parsing or serialisation specified; divergent error handling may cause interoperability problems. Adopting Structured Fields would address this. - See RFC9110 s 16.3.2 for things that should be considered when defining new HTTP fields. I suspect that the document needs to be more explicit about at least some of these items. Adopting Structured Fields would address some (but not all) of these questions. - See also <https://httpwg.org/admin/editors/style-guide#header-and-trailer-fields> for the preferred editorial style when defining new HTTP fields. - The long line-wrapped example in Section 4.1 would benefit from RFC8792 encoding. In HTTP, a line-wrapped field like the one shown has whitespace inserted between each line, which is problematic here. Cheers, > On 19 Jan 2023, at 5:30 am, David Dong via RT > <drafts-expert-review-comm...@iana.org> wrote: > > Dear Mark Nottingham and Roy Fielding (cc: oauth WG), > > As the designated experts for the http-fields registry, can you review the > proposed registration in draft-ietf-oauth-dpop for us? Please see: > > https://datatracker.ietf.org/doc/draft-ietf-oauth-dpop/ > > The due date is February 1st, 2023. > > If this is OK, when the IESG approves the document for publication, we'll > make the registration at > > https://www.iana.org/assignments/http-fields/http-fields.xhtml > > We'll wait for both reviewers to respond unless you tell us otherwise. > > With thanks, > > David Dong > IANA Services Specialist -- Mark Nottingham https://www.mnot.net/ _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
