Here are the comments on my AD review of this draft. Most of them will be easy to fix, except for the normative references to changeable standards:
General: There are more than a couple of Normative references that are pointing to 'living documents'. From my reading of the draft these include: Cookie Prefixes, Fetch, Web-messaging, service-workers, webstorage. If at all possible, we need to find a way to specify a particular version via commit, snapshot, archive to make an immutable version. Or find a way to make them Informative. Basically this draft will be an RFC - immutable, yet a few of the Normative references are changeable. BCP 14 boilerplate: idnits (a little blue button '! Nits' on the line above the text of the draft on the main datatracker page). is throwing errors on the BCP14 boilerplate. Ideally, I'd like these fixed before moving this along (it just eliminates problems down the road). Section 6.1.3.2, para 4: '...the BFF SHOULD encrypt its cookie contents.' Why not a MUST? Under what circumstances would it be reasonable to ignore this SHOULD? Section 6.1.3.2, last para: Add this to the (Informative) references. Section 6.3.4.2.2, first para: Add 'CrytoKeyPair' to the (Informative) references. Section 7.4, first para, last sentence: Nit: 'This restrictions' should either be 'these restrictions' or 'this restriction'. Section 11: RFC6819 is a normative reference, but it is Informational. We need to call that out in the IETF Last Call, and I have to approve the downref (which I will do). Deb Sec AD for oauth
_______________________________________________ OAuth mailing list -- oauth@ietf.org To unsubscribe send an email to oauth-le...@ietf.org
