Reviewer: Russ Housley Review result: Almost Ready I am the assigned ART-ART reviewer for this draft. Please treat these comments just like any other last call comments. Document: draft-ietf-oauth-security-topics-25 Reviewer: Russ Housley Review Date: 2024-02-18 IETF LC End Date: 2024-02-22 IESG Telechat date: Unknown Summary: Almost Ready Major Concerns: Section 4: Some of the subsections contain MUST, MUST NOT, SHOULD, and MAY statements. Given the structure of the document, I expected all of the words that are defined in RFC 2119 to appear is Section 2, with discussion of attacks in Section 4. Please consider lower case words. Minor Concerns: Section 1: I recognize that the term "Anti-patterns" is gaining favor, but I still think that you should provide a brif introduction to the concept. Perhaps: Anti-patterns are patterns in software development that are considered bad programming practices, but they seem to happen over and over. Section 2.3: It says: ... If not, the resource server must refuse to serve the respective request. ... The "If not" is ambiguous. Which aspects of the previous sentence does this cover? Part is implemented by the access server and part is implemented by the resource server. Can the resource server always determin whether the "the authorization server associates the access token with the respective resource and actions"? Please clarify. Section 2.5: When is client authentication not possible? In other words, under what circumstances does an authorization server implementer ignore this SHOULD statement? Section 4.1.1: The text says: "First, the attacker ..." However, there is not "Second" or "Then" to go wit the "First". Please reword. Perhaps: s/First/To begin/ Section 4.1.2: The text says: "First, the attacker ..." However, there is not "Second" or "Then" to go wit the "First". Please reword. Perhaps: s/First/To begin/ Nits: Abstract: Because the Abstract is not allowed to contain references: s/[RFC6749], [RFC6750], and [RFC6819]/ /RFC 6749, RFC 6750, and RFC 6819/ Section 1: s/client talks to/client is talking to/ Section 1: s/when feasible/as soon as feasible/ Section 2.5: s/authentication if possible./authentication./ Section 3: s/attacker model/threat model/ (multiple places) Section 3: s/(wifi)/(Wi-Fi)/ Section 4.4.1: I do not think the bolding in the Variants bullets is helpful to the reader, especially in the plaintext document. Section 4.10.1: I do not think the bolding at the send of the section is helpful to the reader, especially in the plaintext document. -- last-call mailing list last-call@xxxxxxxx https://www.ietf.org/mailman/listinfo/last-call