Hi! I conducted as second AD review of draft-ietf-oauth-mtls per the AD hand-off. I have the following additional feedback:
** Per ekr's earlier review at https://mozphab-ietf.devsvcdev.mozaws.net/D3657, paraphrasing: -- Section 2.1.2, How is these metadata parameters being obtained? -- Section 3.2, Figure 3. In this example, what new information is the auth server providing to the relying party here? ** Section 2.0. What is the expected behavior if the presented certificate doesn't match expected client_id? How is this signaled? ** Section 2.2. Per the sentence "As pre-requisite, the client registers its X.509 certificate ... or a trusted source for its X.509 certificates ... with the authorization server. -- Editorial: s/As pre-requisite/As a prerequisite/ -- What's a "trusted source" in this case? Is that just a jwks_uri? If so, maybe s/a trusted source/a reference to a trust source/. If not, can you please elaborate. A few editorial nits: ** Section 2.2.2. Typo. s/sec 4.7/Section 4.7/ ** Section 3.1 Cite DER encoding as: [X690] ITU-T, "Information Technology -- ASN.1 encoding rules: Specification of Basic Encoding Rules (BER), Canonical Encoding Rules (CER) and Distinguished Encoding Rules (DER)", ITU-T Recommendation X.690, 2015. ** Section 5. Typo. s/metatdata/metadata/ ** Section 6. Typo. s/The the/The/ ** Section 7.2. Typo. s/the the/the/ ** Appendix. Cite the figures numbers (#5 - 7) in the text describing the contents of the section. The shepherd write-up is in good shape. Thank you. Regards, Roman _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth