Last Call Review of draft-ietf-oauth-rar-14
review-ietf-oauth-rar-14-artart-lc-fossati-2022-11-04-00

This document defines an OAuth parameter ("authorization_details") to
carry fine-grained authorization data in OAuth messages. This allows
APIs to customise their authorization requests and has applicability in
a number of scenarios, e.g.: banking, e-health, accessing tax data, etc.
The document also defines a base vocabulary for expressing common
semantics, which grants consistency in an otherwise completely open
space.

It is a very well written document and was a pleasure to read.

It has a clearly defined goal and well designed mechanisms.

The examples (both JSON and HTTP) are many, very well crafted, and
syntactically impeccable -- apart from a couple of stray ellipses in the
JSON examples of §10, and the snippet in Figure 16, which were the only
alerts I got from my linter.

The IANA requests are in good shape (with only a tiny typo issue, see
below.)

Here a couple of very minor reference suggestions:
* §2, when JSON is first mentioned, you could add a pointer to RFC7493
* §2.1, when ASCII is mentioned, you could add a pointer to RFC0020

Please fix these:
* §2.2: "[...] the permissions the client requests is" should be "[...]
  the permissions the client requests are"
* §3: "[...] to improve to security" should be "[...] to improve the
  security"
* §15.6: "[...] authorization_details_parameterto" should be
  "[...] authorization_details parameters to" (I think)

Other than that, ship it!