Normative references to drafts in FAPI 1.0 Advanced

FAPI 1.0 Advanced Final has normative references to draft specifications that are not themselves final. Which is really kind of improper form for standards and creates risk/uncertainty/etc. for would-be implementers.

PAR and JAR link to their respective datatracker htmlized versions (https://tools.ietf.org/html/draft-ietf-oauth-par & https://tools.ietf.org/html/draft-ietf-oauth-jwsreq) which do show some indication (if you know what you’re looking at) of their RFC status that came after FAPI 1.0 final was published. And I don’t think there were any significant or breaking changes in the meantime. They should maybe be updated in a future errata to point to the actual RFCs?

JARM links to the head revision of a markdown file in the Bitbucket git repo https://bitbucket.org/openid/fapi/src/master/Financial_API_JWT_Secured_Authorization_Response_Mode.md which seems rather problematic to me. And I’m honestly not sure what can be done to improve it. But I think maybe an effort to get JARM finalized is needed?

‌

Comments (9)