[OAUTH-WG] draft-ietf-oauth-assertions WGLC comment VI

The treatment of client_id draft-ietf-oauth-assertions-01 seems a bit inconsistent/problematic. §4.1 & 4.2 say it's OPTIONAL. §'s 6.1 and 6.2 have, "The client_id HTTP parameter SHOULD identify the client to the authorization server" while 6.3 and 6.4 have, "The client_id HTTP parameter MUST iden

[OAUTH-WG] draft-ietf-oauth-assertions WGLC comment IV

§4.2* discusses the use of the scope parameter in an authorization grant request. This section should probably reference §3.3 of draft-ietf-oauth-v2** for the formal definition of scope and, subsequently, a fair amount of text can be removed from the assertions draft. * http://tools.ietf.org/htm

[OAUTH-WG] draft-ietf-oauth-assertions WGLC comment III

The following text appears in §4.1 and §4.2 defining (describing because it's already defined in core?) the client_id parameter, "client_id OPTIONAL. The client identifier as described in Section 3of OAuth 2.0 [ I-D.ietf.oauth-v2

[OAUTH-WG] draft-ietf-oauth-assertions WGLC comment II

The third paragraph of §4.1* has, "The following section defines the use of assertions as client credentials as an extension of Section 3.2of OAuth 2.0 [ I-D.ietf.oauth-v2

[OAUTH-WG] draft-ietf-oauth-assertions WGLC comment

§6.1 on Client authentication* has the following requirement, "The Principal MUST identify an authorized accessor. If the assertion is self-issued, the Principal SHOULD be the client_id." which doesn't really make sense for client authentication. The self-issuedness of the assertion should have