https://www.ietf.org/archive/id/draft-ietf-oauth-rfc7523bis-07.html has been
published to address your comments, Deb.
Thanks,
-- Mike
-----Original Message-----
From: Michael Jones <[email protected]>
Sent: Thursday, March 26, 2026 3:36 PM
To: Deb Cooley <[email protected]>; Filip Skokan <[email protected]>
Cc: Brian Campbell <[email protected]>;
[email protected]; Web Authorization Protocol
Working Group <[email protected]>; oauth <[email protected]>
Subject: RE: AD comments on draft-ietf-oauth-rfc7523bis
I approved the PR
https://github.com/oauth-wg/draft-ietf-oauth-rfc7523bis/pull/27. Thanks for
doing that, guys.
-- Mike
-----Original Message-----
From: Deb Cooley <[email protected]>
Sent: Thursday, March 26, 2026 3:27 PM
To: Filip Skokan <[email protected]>
Cc: Brian Campbell <[email protected]>;
[email protected]; Web Authorization Protocol
Working Group <[email protected]>; oauth <[email protected]>
Subject: Re: AD comments on draft-ietf-oauth-rfc7523bis
Filip (and Brian),
You are right, I have also come to the conclusion that idnits is wrong here.
apologies for that.
I will look at the PR soonest (prolly tomorrow). Although waiting until
after spring breaks are over (I forgot about those, again apologies), that is
fine as well.
Deb
On Thu, Mar 26, 2026 at 4:09 PM Filip Skokan <[email protected]> wrote:
> Hello Deb,
>
> I picked up a WIP PR from Brian to (hopefully) resolve your comments
> here
> <https://gith/
> %2F&data=05%7C02%7C%7C83e6fef89cb448fd867e08de8b880ab1%7C84df9e7fe9f64
> 0afb435aaaaaaaaaaaa%7C1%7C0%7C639101613575943450%7CUnknown%7CTWFpbGZsb
> 3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjo
> iTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=mh1gEWVXYZfEIPMMaHvRgVe0Y
> nZGCEZBbcZCqdojSTw%3D&reserved=0
> ub.com%2Foauth-wg%2Fdraft-ietf-oauth-rfc7523bis%2Fpull%2F27&data=05%7C
> 02%7C%7Caeb3cee0ed444f527dc108de8b86dc41%7C84df9e7fe9f640afb435aaaaaaa
> aaaaa%7C1%7C0%7C639101608487502793%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1
> hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=52LLsQQE6Bzv44HFNxNvkCK0%2BaWjdKcWFFXyUBGia%2BY%3D&reserved=0>.
> I reverted brian's attempt to fix BCP 14 references as I think idnits v3 is
> in error after comparing how BCP14 is referenced here vs other recently
> published documents. But I'll happily take you up on your offer to align it
> with a different example, that being said, as many iterations of this I've
> tried they all came back as issues from idnits anyway.
>
> S pozdravem,
> *Filip Skokan*
>
>
> On Thu, 26 Mar 2026 at 20:07, Brian Campbell
> <[email protected]>
> wrote:
>
>> Apologies, the meeting and travel and inability to access some
>> systems on-site definitely did disrupt the getting things done list
>> for me. Further disruption is coming for me with the kids' spring
>> break starting soon (in a few hours for all intents and purposes with
>> respect to work). So I can only apologize again as realistically an
>> ETA for me responding in a useful way isn't until the week after next.
>>
>> On Thu, Mar 26, 2026, 11:13 AM Deb Cooley <[email protected]> wrote:
>>
>>> Hi,
>>>
>>> Can I get an eta for responses to my comments? I had assumed there
>>> was some urgency, but I recognize the meeting tends to disrupt
>>> things for a minute or two. The good news is that we are probably
>>> only looking at a 2 week IETF Last Call.
>>>
>>> Deb
>>>
>>> On Wed, Mar 11, 2026 at 11:28 AM Deb Cooley <[email protected]>
>>> wrote:
>>>
>>>> Hi,
>>>>
>>>> Below is a complete set of my comments on this draft (I've pestered
>>>> the authors about a couple of early comments raised by idnits already).
>>>>
>>>> idnits v3 (experimental) raised three issues, one of them is legit,
>>>> one is borderline, and the last is clearly in error:
>>>> - idnits points out that it is preferred if BCP 14 is referenced.
>>>> If you need me to find you an example of how to do this, I can.
>>>>
>>>> - RFCs to be updated are not in the Abstract.
>>>>
>>>> - the third entry here is clearly in error. Mea Culpa. (about
>>>> open.org in the references)
>>>>
>>>> Section 1: (improve clarity) The token identifies the recipient? via
>>>> an audience value(s)? If that is correct, then maybe the second sentence
>>>> could be something like 'These tokens, which identify the
>>>> recipient, contain an audience value(s). s/aud/'aud' (or something
>>>> to make it obvious that this is a field name).
>>>>
>>>> Section 3, replacing text: I'm not sure the parenthetical for
>>>> Section
>>>> 2.2 (The authors re not actually aware....)adds much. I would remove it.
>>>>
>>>> Section 4 a. and b.: Just to be sure I understand... for an
>>>> authorization grant the audience can be the token endpoint URL (and
>>>> nothing else), but for client authentication, the 'aud' claim value
>>>> must not be the token endpoint URL (it has to be the issuer
>>>> identifier). Assuming that audience = aud (audience) claim value.
>>>> [I have no judgement on this, just being sure this is what you
>>>> intended to say.]
>>>>
>>>> Section 7.1.1, contact information: I believe we can use oauth for
>>>> this contact (vice a person). This is the authors' preference.
>>>>
>>>>
>>>> The publication window opens on Monday, hopefully it is fine to
>>>> wait until then. Once these are addressed, I will put the draft
>>>> into IETF Last Call (3 weeks because of IETF 125).
>>>>
>>>> Thanks for your patience,
>>>> Deb
>>>>
>>>>
>>>>
>>>>
>> *CONFIDENTIALITY NOTICE: This email may contain confidential and
>> privileged material for the sole use of the intended recipient(s).
>> Any review, use, distribution or disclosure by others is strictly
>> prohibited
_______________________________________________
OAuth mailing list -- [email protected]
To unsubscribe send an email to [email protected]
