Last Call Review of draft-ietf-oauth-access-token-jwt-11
review-ietf-oauth-access-token-jwt-11-secdir-lc-salowey-2021-02-07-00

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors.  Document editors and WG chairs should treat
these comments just like any other last call comments.

The summary of the review is the document has issues.

1.  (Editorial) What is the relationship between this document and RFC 7523. 
They are using JWT for different purposes, but I think it would be useful to
clarify this in the introduction.

2.  (Issue) The specification does not specify any mandatory to implement for
the recommended asymmetric algorithms.  This will not help interop.  Perhaps
specify one or both of  "RS256" and "ES256".

3. (Question) Is it currently possible to use the JWT access token in a mode
other than a bearer token?  For example is there a way to bind the JWT to a
verifiable key or identifier.  If there is, there should be some discussion of
this in the security considerations.  If not, do the authors know if there is
any work planned in this area?

4. Genart review pointed out a nit that should be fixed.