Last Call Review of draft-ietf-oauth-discovery-07
review-ietf-oauth-discovery-07-secdir-lc-eastlake-2017-10-26-00

Request Review of draft-ietf-oauth-discovery
Requested revision No specific revision (document currently at 10)
Type IETF Last Call Review
Team Security Area Directorate (secdir)
Deadline 2017-10-09
Requested 2017-09-25
Authors Michael B. Jones , Nat Sakimura , John Bradley
I-D last updated 2018-06-28 (Latest revision 2018-03-04)
Completed reviews Opsdir IETF Last Call review of -07 by Shwetha Bhandari (diff)
Secdir IETF Last Call review of -07 by Donald E. Eastlake 3rd (diff)
Genart IETF Last Call review of -07 by Brian E. Carpenter (diff)
Genart Telechat review of -08 by Brian E. Carpenter (diff)
Assignment Reviewer Donald E. Eastlake 3rd
State Completed
Request IETF Last Call review on draft-ietf-oauth-discovery by Security Area Directorate Assigned
Reviewed revision 07 (document currently at 10)
Result Has nits
Completed 2017-10-26
review-ietf-oauth-discovery-07-secdir-lc-eastlake-2017-10-26-00
I have reviewed this document as part of the security directorate's ongoing
effort to review all IETF documents being processed by the IESG.  Document
editors and WG chairs should treat these comments just like any other last
call comments.

The summary of the review is draft is ready with one nit.

This draft defines a metadata format that an OAuth 2.0 client can use to
obtain the information needed to interact with an OAuth 2.0 authorization
server, including its endpoint locations and authorization server
capabilities.

While I am not deeply familiar with this area of security technology, the
extensive Security Considerations section seems thorough and correct as far
as I can see.

Nit: The reference to RFC 5226 should probably be updated to RFC 8126

Thanks,
Donald
===============================
 Donald E. Eastlake 3rd   +1-508-333-2270 <(508)%20333-2270> (cell)
 155 Beaver Street, Milford, MA 01757 USA
 d3e3e3@gmail.com