Document: draft-hammer-oauth-03
Reviewer: Avshalom Houri
Review Date: 2009-11-10
IETF LC End Date: 2009-11-06
IESG Telechat date: (if known)

Summary: Draft is almost ready. Needs some more work to improve readability and structure.

Major issues:

Section 3.3.1.1.  Collect Request Parameters. It is very hard to understand this whole section. It seems that it belongs more to the later parts of the document.

Minor issues:

Lines 421-423:
   nor does it include most HTTP entity-headers.  The importance of the
   signature base string scope is that the authenticity of the excluded
   components cannot be verified using the signature.

Could not understand the sentence starting with "The importance"

Lines 627-636
   4.  If the URI includes an empty path, it MUST be included as "/".

   For example:

   +----------------------------------+-------------------------------+
   | The request URI                  | Is included in base string as |
   +----------------------------------+-------------------------------+
   | HTTP://EXAMPLE.com:80/r/x?id=123 | http://example.com/r/x        |
   | https://example.net:8080?q=1#top | https://example.net:8080/     |
   +----------------------------------+-------------------------------+

Does it mean that the granularity here is only for whole resource? If so
it should be mentioned somewhere.

Section 4. Redirection-Based Authorization seems to be more correctly placed in the beginning of the document.

Section 6. Security Considerations

I like the detailed explanations but it may be good to have some preface that will describe the class of threats described etc.

Appendix should be part of the document as an example.

Nits/editorial comments:

Line: 360:
   A nonce is a random string, uniquely generated to allows the server
->    A nonce is a random string, uniquely generated to allow the server

Line 378:
  client needs to prove it is the rightful owner of the credentials.
->    client needs to prove that it is the rightful owner of the credentials.

Line 405:
   (or a sting of an equivalent value), and includes it in the
->    (or a string of an equivalent value), and includes it in the