Last Call Review of draft-ietf-oauth-discovery-07
review-ietf-oauth-discovery-07-secdir-lc-eastlake-2017-10-26-00

Request Review of draft-ietf-oauth-discovery
Requested rev. no specific revision (document currently at 10)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2017-10-09
Requested 2017-09-25
Other Reviews Opsdir Last Call review of -07 by Shwetha Bhandari (diff)
Genart Last Call review of -07 by Brian Carpenter (diff)
Genart Telechat review of -08 by Brian Carpenter (diff)
Review State Completed
Reviewer Donald Eastlake
Review review-ietf-oauth-discovery-07-secdir-lc-eastlake-2017-10-26
Posted at https://mailarchive.ietf.org/arch/msg/secdir/ES9tgrRBGr8tetoGBwosdOPuYKg
Reviewed rev. 07 (document currently at 10)
Review result Has Nits
Draft last updated 2017-10-26
Review completed: 2017-10-26

Review
review-ietf-oauth-discovery-07-secdir-lc-eastlake-2017-10-26

I have reviewed this document as part of the security directorate's ongoing
effort to review all IETF documents being processed by the IESG.  Document
editors and WG chairs should treat these comments just like any other last
call comments.

The summary of the review is draft is ready with one nit.

This draft defines a metadata format that an OAuth 2.0 client can use to
obtain the information needed to interact with an OAuth 2.0 authorization
server, including its endpoint locations and authorization server
capabilities.

While I am not deeply familiar with this area of security technology, the
extensive Security Considerations section seems thorough and correct as far
as I can see.

Nit: The reference to RFC 5226 should probably be updated to RFC 8126

Thanks,
Donald
===============================
 Donald E. Eastlake 3rd   +1-508-333-2270 <(508)%20333-2270> (cell)
 155 Beaver Street, Milford, MA 01757 USA
 d3e3e3@gmail.com