Thank you for the review Luigi. The secdir review also highlighted the need for improved treatment of migration and interoperability considerations. A new "Operational Considerations" section seems like an appropriate place for that content. I added a comment to the issue tracking the secdir review https://github.com/oauth-wg/draft-ietf-oauth-rfc7523bis/issues/28.
Usage of the new media type is specified in https://www.ietf.org/archive/id/draft-ietf-oauth-rfc7523bis-07.html#section-4-5.1.1 and shown in the example https://www.ietf.org/archive/id/draft-ietf-oauth-rfc7523bis-07.html#section-4.1-6. Whether or not this is a great use of media types is, to me anyway, a reasonable question https://mailarchive.ietf.org/arch/msg/oauth/IRYjOn88hDh-Rk1i9R-fIyznMnA/ but one that is not in scope of this draft. On Wed, Apr 15, 2026 at 2:31 AM Luigi Iannone via Datatracker < [email protected]> wrote: > Document: draft-ietf-oauth-rfc7523bis > Title: Updates to OAuth 2.0 JSON Web Token (JWT) Client Authentication and > Assertion-Based Authorization Grants Reviewer: Luigi Iannone Review > result: Has > Issues > > Hi, > > I have been selected as the Operational Directorate (opsdir) reviewer for > this > Internet-Draft. > > The Operational Directorate reviews all operational and management-related > Internet-Drafts to ensure alignment with operational best practices and > that > adequate operational considerations are covered. > > A complete set of _"Guidelines for Considering Operations and Management in > IETF Specifications"_ can be found at > https://datatracker.ietf.org/doc/draft-ietf-opsawg-rfc5706bis/. > > While these comments are primarily for the Operations and Management Area > Directors (Ops ADs), the authors should consider them alongside other > feedback > received. > > - Document: draft-ietf-oauth-rfc7523bis-07 > > - Reviewer: Luigi Iannone > > - Review Date: 15 April 2026 > > - Intended Status: Standards Track > > --- > > ## Summary > > - Has Issues: I have some minor concerns about this document that I think > should be resolved before publication. > > ## General Operational Comments Alignment with RFC 5706bis > > This document is basically a security fix for RFC7521, RFC7522, RFC7523 > and RFC > 9126, all of them are updated by this document. In particular it fixes > ambiguities in the audience values in tokens sent from a client to an > authorization server. > > Beside the specifications themselves, there are clear operational > consequences, > and while RFC7521, RFC7522, RFC7523 have an "Interoperability > Considerations" > this document (at revision -07) does discuss at all operational aspects. > > ## Major Issues > > I suggest (in accordance to 5706bis - see link above) to add an > "Operational > Considerations" section covering the following missing points: > > - Interoperability aspects. Discuss any interoperability aspect that > changes > (or not) with respect to the RFCs that are updated. > > - Migration path: How to make sure that both client and server both support > this document? What happens if it is not the case (only one end supports > this > document but the other end does not)? > > - Any change in the management aspects (parameters agreement)? Is there any > operational change that needs to be explicitly stated? > > --- > > ## Minor Issues > > In the IANA Section it is requested to register a new media type, but the > document does explicitly states where and when to use such media type. > Please > add a short description with references to the relevant RFCs. > > --- > > > > -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
_______________________________________________ OAuth mailing list -- [email protected] To unsubscribe send an email to [email protected]
