BK Comments 5

Section 5.2.1

   It is possible for the Request Object to include values that are to
   be revealed only to the Authorization Server.  As such, the
   "request_uri" MUST have appropriate entropy for its lifetime.  For
   the guidance, refer to 5.1.4.2.2 of [RFC6819].  It is RECOMMENDED
   that it be removed after a reasonable timeout unless access control
   measures are taken.

It sounds like a link to https://www.w3.org/TR/capability-urls/ might
also be useful.

Section 5.2.2

Do we want to remind the reader that the other query parameters are just
for backwards compatibility?

Section 5.2.3

   The following is an example of this fetch process:

     GET /request.jwt HTTP/1.1
     Host: tfp.example.org

It's useful to show good hygeine in examples; can we get the extra
entropy in this request that we have in the previous example(s)?