Last Call Review of draft-ietf-oauth-dyn-reg-24
review-ietf-oauth-dyn-reg-24-genart-lc-carpenter-2015-03-05-00

Team General Area Review Team (Gen-ART) (genart)
Title Last Call Review of draft-ietf-oauth-dyn-reg-24
Request Last Call - requested 2015-03-04
Reviewer Brian Carpenter
Review result Almost Ready
Posted at http://www.ietf.org/mail-archive/web/gen-art/current/msg11434.html
Last updated 2015-03-05

Review
review-ietf-oauth-dyn-reg-24-genart-lc-carpenter-2015-03-05

I am the assigned Gen-ART reviewer for this draft. For background on
Gen-ART, please see the FAQ at
<

http://wiki.tools.ietf.org/area/gen/trac/wiki/GenArtfaq>.

Please resolve these comments along with any other Last Call comments
you may receive.

Document: draft-ietf-oauth-dyn-reg-24.txt
Reviewer: Brian Carpenter
Review Date: 2015-03-05
IETF LC End Date: 2015-03-16
IESG Telechat date:

Summary: Almost ready
--------

Issues:
-------

>2.  Client Metadata
>   ...
>   The following client metadata fields are defined by this
>   specification.
>   ...
>   ...
>   Extensions and profiles of this specification MAY expand this list.

That definitely needs a forward reference to the IANA Considerations.
I don't think it's an RFC 2119 MAY, so it should read something like

  Extensions and profiles of this specification may expand this list
  with metadata names registered in accordance with the IANA Considerations
  in Section 4 of this document.

>   The authorization server MUST ignore any client metadata values sent
>   by the client that it does not understand.

Silently, or with an error report?

>4.  IANA Considerations
>
>4.1.  OAuth Dynamic Registration Client Metadata Registry
>
>   This specification establishes the OAuth Dynamic Registration Client
>   Metadata registry.
>
>   OAuth registration client metadata values are registered with a
>   Specification Required ...

This may be a nit but it confused me; surely it isn't metadata *values*
that are registered; it's metadata names and descriptions?

Nit:
----

I expected a reference, presumably [RFC6749], at the first mention
of OAuth 2.0 (in the first sentence).