Vittorio, Brian, The following is my document shepherd review for the step-up authentication document: https://www.ietf.org/archive/id/draft-ietf-oauth-step-up-authn-challenge-06.html
*Comments* * Section 4, first sentence: You might have a reason for using MAY, instead of SHOULD, but it is not obvious to me. Can you add some text to explain the reason for this? * Section 5 “when it comes to access tokens in this specification it is RECOMMENDED that the requested acr value is treated as required” Not sure why this sentence started in such a way. Why not just explicitly use MUST to make sure that the acr value is included in the access token? * Section 9, last sentence I think we need to have a stronger statement here and not leave it wide open like this. Maybe state that the resource server SHOULD NOT return a challenge if the request did not include a valid token? *Nits* Section 2 - “not be necessarily hold true” -> drop the “be” Section 5 - Thee - > The Section 8 - any undesirable -> an undesirable Section 9 - {#Challenge} -> fix the reference Regards, Rifaat
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth