Last Call Review of draft-ietf-oauth-introspection-08

Request Review of draft-ietf-oauth-introspection
Requested rev. no specific revision (document currently at 11)
Type Last Call Review
Team Ops Directorate (opsdir)
Deadline 2015-06-09
Requested 2015-05-27
Authors Justin Richer
Draft last updated 2015-06-23
Completed reviews Genart Last Call review of -08 by Wassim Haddad (diff)
Secdir Last Call review of -08 by Stephen Kent (diff)
Opsdir Last Call review of -08 by Lionel Morand (diff)
Assignment Reviewer Lionel Morand 
State Completed
Review review-ietf-oauth-introspection-08-opsdir-lc-morand-2015-06-23
Reviewed rev. 08 (document currently at 11)
Review result Has Issues
Review completed: 2015-06-23


I have reviewed this document as part of the Operational directorate's ongoing effort to review all IETF documents being processed by the IESG.  These comments were written with the intent of improving the operational
 aspects of the 

IETF drafts. Comments that are not addressed in last call may be included in AD reviews during the IESG review.  Document editors and WG chairs should treat these comments just like any other last call comments.


This document is well-written, clear and almost ready to be published. I have however some comments:


1/ I share the comment from Barry regarding "MUST support POST, and MAY support GET" in section 2.1.

2/ Sorry if it is obvious but there is no indication on how the protected resources discover the introspection endpoint to which send the request. It might be explained in some other documents but we could find this information
 in this document as well (or at least a reference).


Minors comments:


sect 2.1: 


   The endpoint MAY allow other parameters to provide further context to

   the query.  For instance, an authorization service may need to know

   the IP address of the client accessing the protected resource in

   order to determine the appropriateness of the token being presented.


Which endpoint are you referring to at the beginning of the sentence? introspection endpoint, Authorization endpoint, token endpoint, other ? I guess it is the first one but please clarify.


In the second sentence, I think it is "authorization server" instead of "authorization service"






Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.