|
Hi Julian, thank you for your
comments. Answers inline We mostly addressed them locally and will publish a new version when all IESG reviews are available and addressed by us. Best regards, On 01.11.2021 11:33, Julian Reschke via
Datatracker wrote:
Good point. We changed the text to refer to application/x-www-form-urlencoded.Review is partially done. Another assignment may be needed to complete it. Reviewer: Julian Reschke Review result: Almost Ready (I have reviewed this with zero knowledge of OAuth, so additional review probably would be good) Major issues: 2.4 "Clients MUST compare the extracted and URL-decoded value to the issuer identifier of the authorization server where the authorization request was sent to." I'm not sure that "URL-decoded" is correct with respect to decoding query parameters. Consider URLs containing "+" or "=". You probably need the encoding rules for application/x-www-form-urlencoded instead. +1 that was an editorial mistake. Fixed.Minor issues: References to registries should not be listed as normative. I am acutally not sure how to fix this. I removed the trailing dot (thanks for the hint) but when converting markdown to XML the section is not automatically recognized.Nits: Section links to external documents do not appear to be marked up as such (and use a trailing dot in the section number which they should not) My markdown looks like this: The authorization response as specified in Section 4.1.2 of [@!RFC6749] The XML file like this: Is there some example how to link the sections in external RFCs
or should we create the links manually? We added missing Acks and moved them to the appendix.There are no Acks; so section 6 should be deleted (if there were acksm they should go into an unnumbered section at the end of the document) -- Karsten Meyer zu Selhausen Senior IT Security Consultant Phone: +49 (0)234 / 54456499 Web: https://hackmanit.de | IT Security Consulting, Penetration Testing, Security Training Is your OAuth or OpenID Connect application vulnerable to mix-up attacks? Find out more on our blog: https://www.hackmanit.de/en/blog-en/132-how-to-protect-your-oauth-client-against-mix-up-attacks Hackmanit GmbH Universitätsstraße 60 (Exzenterhaus) 44789 Bochum Registergericht: Amtsgericht Bochum, HRB 14896 Geschäftsführer: Prof. Dr. Jörg Schwenk, Prof. Dr. Juraj Somorovsky, Dr. Christian Mainka, Prof. Dr. Marcus Niemietz |
Attachment:
OpenPGP_signature
Description: OpenPGP digital signature
-- last-call mailing list last-call@xxxxxxxx https://www.ietf.org/mailman/listinfo/last-call
