[OAUTH-WG] Murray Kucherawy's No Objection on draft-ietf-oauth-jwsreq-26: (with COMMENT)

Murray Kucherawy via Datatracker <noreply@ietf.org> Wed, 12 August 2020 07:56 UTC

Return-Path: <noreply@ietf.org>
X-Original-To: oauth@ietf.org
Delivered-To: oauth@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 02D123A0D0F; Wed, 12 Aug 2020 00:56:26 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Murray Kucherawy via Datatracker <noreply@ietf.org>
To: "The IESG" <iesg@ietf.org>
Cc: draft-ietf-oauth-jwsreq@ietf.org, oauth-chairs@ietf.org, oauth@ietf.org, Hannes.Tschofenig@gmx.net
X-Test-IDTracker: no
X-IETF-IDTracker: 7.13.0
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: Murray Kucherawy <superuser@gmail.com>
Message-ID: <159721898593.8472.15430392178541116697@ietfa.amsl.com>
Date: Wed, 12 Aug 2020 00:56:25 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/bBfIbWaCb68p79a_Z4lWIHpVZeY>
Subject: [OAUTH-WG] Murray Kucherawy's No Objection on draft-ietf-oauth-jwsreq-26: (with COMMENT)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Aug 2020 07:56:26 -0000

Murray Kucherawy has entered the following ballot position for
draft-ietf-oauth-jwsreq-26: No Objection

When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)

Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
for more information about IESG DISCUSS and COMMENT positions.

The document, along with other ballot positions, can be found here:


The directorate reviews are from 15 or more versions ago.  I wonder if
returning documents like this should be sent through the directorates again as
matter of course.

Abstract: "... the communication through the user agents are not ..." --

Section 1 expressly cites two IANA URLs.  I suggest simply naming the registry
or sub-registry; the URLs might not be permanent.  Or if you like the URL, do
it as a reference, as you did with [IANA.MediaType].

The two bullets at the end of Section 1 toggle between "crypto" and
"cryptography".  I suggest picking one, preferably the latter (as did the rest
of the document).

In Section 3, should URI and URL include references to their defining RFCs?  I
realize a reader familiar with this space probably knows those terms, but they
seem to be the only acronyms without a reference here.

When would an implementer legitimately disregard the SHOULD in Section 4?

As Benjamin Kaduk also expressed, I'm a little puzzled by this text in Section
5.2: "The "request_uri" value MUST be reachable by the Authorization Server." 
Is this part of the protocol?

All of the subsections of Section 9 say: "This specification adds the following
values to the "OAuth Parameters" registry established ..." but they all are
actually modifying different sub-registries.  I suggest naming the
sub-registries explicitly.  I realize the subsection titles have it right, but
this line of repeated prose had me squinting a bit.