This is a simple list of issues we need to burn down in working on the protocol spec(s). See also the issues listed in the Scenarios and Use Cases document.
- Consider whether the contents of XRD-1 and XRD-2 should be merged somehow. (See 2009-11-19 discussion.)
- Consider what we should say about whether XRD-3 should be signed. (See 2009-11-19 discussion.)
- Make it clear that, just like in regular OAuth as deployed today, we assume that the same person (the person serving as the authorizing user) is "behind" both the host and the AM.
- Make it clear that, unlike in two-legged OAuth today, the requester somehow needs to present itself uniquely per requesting user.
- Consider whether to allow for querying the "protected status" of a resource. (See 2009-11-02 discussion.)
- Change examples to use example.com etc. in accordance with IETF rules.