Hi Hannes, all, Sorry to have been slow with the AD review here. I've only a few comments (below) that can be handled as IETF LC comments. Any changes as a result of the recent thread on the definition of Issuer can also be done then.
Unless someone tells me to hold off for a new version, I'll request IETF LC for this later today. Thanks, S. section 3, 2nd para: this says that an Issuer "signs" assertions, I think you do include MACing as well, right? If so, better to say so, so maybe s/signs/integrity protects/ would be better? If you are going to stick with "sign" to mean either digital signature or MAC, then please say so explicitly. s3, 3rd para: if assertions MUST be signed, then MUST they also be verified by RPs? I think you should say. 5.2: "The Audience SHOULD be the URL of the Authorization Server's Token Endpoint" - are there any issues there with URL comparisons that need to be specified here? Or is that something to do for a specific type of assertion? Either way, might be good to say. _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth