Reviewer: Benjamin Schwartz Review result: Ready This is a very mature, carefully drafted specification. Question: Under Dynamic Client Registration, do we need a mechanism for the client learn the required signature algorithms? In general, there is no discussion of how mutually acceptable signature algorithms might be negotiated. Unlike cryptographic nonces, it is acceptable for clients to use the same nonce multiple times, and for the server to accept the same nonce multiple times. This suggests that there may be another term that is better than "nonce", such as "epoch", "session ID", or "tag". Section 11.4: This grant needs to be "silent", i.e., not require interaction with the user. Why? Surely an occasional user authentication refresh is not such a red flag to ordinary users. -- last-call mailing list last-call@xxxxxxxx https://www.ietf.org/mailman/listinfo/last-call