Roman Danyliw has entered the following ballot position for draft-ietf-oauth-resource-metadata-10: No Objection
When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ for more information about how to handle DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-oauth-resource-metadata/ ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- ** Section 2.2 signed_metadata A JWT containing metadata values about the protected resource as claims. This is a string value consisting of the entire signed JWT. A signed_metadata metadata value SHOULD NOT appear as a claim in the JWT. If signed_metadata appears as a claim, what should be done with it? ** Section 7.1 Implementations SHOULD follow the guidance in BCP 195 [RFC8996] [RFC9325], which provides recommendations and requirements for improving the security of deployed services that use TLS. Why can’t this document require (MUST) conformance to BCP 195 and delegate responsibility to maintaining those recommendations to the BCP? ** Section 7.3 TLS certificate checking MUST be performed by the client, as described in Section 7.1, What guidance in Section 7.1 discusses TLS certificate checking? ** Section 8.1.1 Change Controller: For Standards Track RFCs, list the "IETF". Wouldn’t “IETF” be listed for all RFCs in the IETF stream? ** Section 8.3.1 * URI suffix: oauth-protected-resource * Change controller: IETF * Specification document: Section 3 of [[ this specification ]] * Related information: (none) For editorial clarity, https://www.iana.org/assignments/well-known-uris/well-known-uris.xhtml uses “Reference” not “Specification document”. Consider harmonizing the column names. _______________________________________________ OAuth mailing list -- oauth@ietf.org To unsubscribe send an email to oauth-le...@ietf.org
