Last Call Review of draft-ietf-oauth-dyn-reg-24

Request Review of draft-ietf-oauth-dyn-reg
Requested rev. no specific revision (document currently at 30)
Type Last Call Review
Team General Area Review Team (Gen-ART) (genart)
Deadline 2015-03-16
Requested 2015-03-04
Authors Justin Richer, Michael Jones, John Bradley, Maciej Machulak, Phil Hunt
Draft last updated 2015-03-05
Completed reviews Genart Last Call review of -24 by Brian Carpenter (diff)
Genart Last Call review of -27 by Brian Carpenter (diff)
Secdir Last Call review of -24 by Charlie Kaufman (diff)
Opsdir Last Call review of -24 by Tina Tsou (diff)
Assignment Reviewer Brian Carpenter 
State Completed
Review review-ietf-oauth-dyn-reg-24-genart-lc-carpenter-2015-03-05
Reviewed rev. 24 (document currently at 30)
Review result Almost Ready
Review completed: 2015-03-05


I am the assigned Gen-ART reviewer for this draft. For background on
Gen-ART, please see the FAQ at

Please resolve these comments along with any other Last Call comments
you may receive.

Document: draft-ietf-oauth-dyn-reg-24.txt
Reviewer: Brian Carpenter
Review Date: 2015-03-05
IETF LC End Date: 2015-03-16
IESG Telechat date:

Summary: Almost ready


>2.  Client Metadata
>   ...
>   The following client metadata fields are defined by this
>   specification.
>   ...
>   ...
>   Extensions and profiles of this specification MAY expand this list.

That definitely needs a forward reference to the IANA Considerations.
I don't think it's an RFC 2119 MAY, so it should read something like

  Extensions and profiles of this specification may expand this list
  with metadata names registered in accordance with the IANA Considerations
  in Section 4 of this document.

>   The authorization server MUST ignore any client metadata values sent
>   by the client that it does not understand.

Silently, or with an error report?

>4.  IANA Considerations
>4.1.  OAuth Dynamic Registration Client Metadata Registry
>   This specification establishes the OAuth Dynamic Registration Client
>   Metadata registry.
>   OAuth registration client metadata values are registered with a
>   Specification Required ...

This may be a nit but it confused me; surely it isn't metadata *values*
that are registered; it's metadata names and descriptions?


I expected a reference, presumably [RFC6749], at the first mention
of OAuth 2.0 (in the first sentence).