Gabriel Corona

Sorry for the delay! I *think* the following wording points have not been completely addressed. **allow list / back list:** * Currently translated as: liste blanche / liste noire *...

> allow list / back list: The current version is good The original authors have chosen not to use "black list" and "white list" and used "allow list" and "deny...

> endpoint: The current version is good I *think* we use two different wording ("point de terminaison" and "point d'entrée"), we shall at least use the same wording throughout the...

> (JWT) claim: The current version is good These ones uses "revendication" : * https://www.ibm.com/docs/fr/order-management?topic=users-jwt-authentication * https://learn.microsoft.com/fr-fr/entra/identity-platform/jwt-claims-customization So it's probably OK. I understand "claim" to actually mean "déclaration" (such as...

> (JWT) claim: The current version is good These ones uses "revendication" : * https://www.ibm.com/docs/fr/order-management?topic=users-jwt-authentication * https://learn.microsoft.com/fr-fr/entra/identity-platform/jwt-claims-customization So it's probably OK. I understand "claim" to actually mean "déclaration" but we...

Sorry, but it appears there are 8 instances of "liste blanche" remaining.

I think it's OK as well.

> If we only require that the AS need to support it, but not require the client to use it, it does not provide any security. I would not say...

FWIW, [here is the motivation](https://datatracker.ietf.org/doc/html/rfc9449#name-authorization-code-and-publ) for authorization code binding to a DPoP key: > If an **authorization server does not (or cannot) strictly enforce the single-use limitation** for authorization codes...

> I would say that [the section](https://datatracker.ietf.org/doc/html/rfc9449#section-11.9-2) before the quoted section is more convincing for me. Yes but the section that I quoted, describes the scenario under which this may...