Reviewer: Robert Sparks Review result: Ready with Issues Summary: essentially ready but with issues to consider before being published as a proposed standard RFC. Issues: I expected to find some discussion of considerations of avoiding "step down" given the intuitive appeal to "step up". Can the client or Authorization server notice if the resource server has through whatever fault asserted that it will only accept the use of an authentication context class that is blatantly inferior to what has already been provided? And if they notice, what is expected to happen? Or is it expected that this is allowed, particularly when a short max_age is also supplied? The document also suggests that the client hold on to, and possibly re-use in the future, access tokens that have been challenged as having insufficient user authorization. Is this behavior something that follows a well-known and well-implemented pattern documented elsewhere? If so, a pointer would be useful. If not, this seems like something that deserves more discussion if not more definition. Nits: The reference to abr-twitter-reply will go away with the changelog when the RFC Editor removes it. It would be kind to acknowledge that in the note to the RFC Editor so that they know it's expected and don't have to ask. -- last-call mailing list last-call@xxxxxxxx https://www.ietf.org/mailman/listinfo/last-call