Brian Campbell
Brian Campbell
attempt @martinthomson's "simple alternative" in #1927 to say the chain is in the same order as it appears in TLS rather than copying the language from TLS
update refs for HTTP Semantics, HTTP/3, and QPACK to point to the now RFCs 9110/9114/9204 for #2146
I apologize in advance for this one... I really do. It has always been my reading that OAuth 2.0 allows for client identification/authentication to be omitted in extension grants (if...
Right after the IETF 119 OAuth session yesterday in a talk with @selfissued and @ve7jtb that started with discussion of PR #394, the question again came up (with some surprise...
It's not clear how the secure session endpoint(s) are to be conveyed from server to browser. Is this the purpose of the "path" part of the Sec-Session-Registration? I'm clearly missing...
A signed JWT is always a a series of three base64url-encoded values separated by a period ('.') character. It is not itself base64url-encoded. So saying things like `` and `Sec-Session-Response:...
JWS algorithms are case-sensitive, per the JWS/JWA specs[1], and DBSC should consistently use the defined ones `ES256` and `RS256` (rather than `es256` and `rs256` that currently sometimes are used). Doing...
An example JWT has `"jti": "nonce",` but the word nonce doesn't appear anywhere else. Is the value intended to be the challenge from the Sec-Session-Challenge header? This could use some...
Please consider using the `jwk` header parameter to convey the public key in the JWT sent by the browser. That would better leverage existing standards, be similar to how DPoP...
`iat` is a number per https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.6 so `"iat": "timestamp",` in an example is potentially misleading or wrong