Last Call Review of draft-ietf-oauth-resource-metadata-08
review-ietf-oauth-resource-metadata-08-secdir-lc-mandelberg-2024-08-16-00
Request | Review of | draft-ietf-oauth-resource-metadata |
---|---|---|
Requested revision | No specific revision (document currently at 12) | |
Type | Last Call Review | |
Team | Security Area Directorate (secdir) | |
Deadline | 2024-08-26 | |
Requested | 2024-08-12 | |
Authors | Michael B. Jones , Phil Hunt , Aaron Parecki | |
I-D last updated | 2024-08-16 | |
Completed reviews |
Artart Last Call review of -08
by Arnt Gulbrandsen
(diff)
Secdir Last Call review of -08 by David Mandelberg (diff) Opsdir Last Call review of -08 by Bo Wu (diff) Httpdir Telechat review of -10 by Mike Bishop (diff) |
|
Assignment | Reviewer | David Mandelberg |
State | Completed | |
Request | Last Call review on draft-ietf-oauth-resource-metadata by Security Area Directorate Assigned | |
Posted at | https://mailarchive.ietf.org/arch/msg/secdir/ECNOFeCe8_ow088A_oWmsjjZSR4 | |
Reviewed revision | 08 (document currently at 12) | |
Result | Has nits | |
Completed | 2024-08-16 |
review-ietf-oauth-resource-metadata-08-secdir-lc-mandelberg-2024-08-16-00
Overall, looks good. I just have a couple of questions that might not need any changes to the doc. Section 5.2 says "SHOULD retrieve the updated protected resource metadata and use the new metadata values obtained" which makes sense for the values included directly in the metadata. For the URLs like jwks_uri though, is the client expected to retrieve those again even if the URL itself didn't change? Or does that not need to be specified? What do you think about adding something to section 5.2 about redoing all validation (like checking the resource field and validating the signature in signed_metadata) before using new values? I'd hope that any implementations would do that without it being specified, but I could see some bugs if the code path for fetching initial values is different than the code path for updating values.