Actionable references to security BCP

[danielfett]

The draft currently contains the following references to the OAuth Security BCP:

(1)

Any of the OAuth 2.0 related specifications, such as [RFC9126] and [RFC9101], and Best Current Practice (BCP) documents, such as [RFC8252] and [I-D.ietf-oauth-security-topics], can be implemented on top of this specification.

(2)

The Authorization Request follows the definition given in [RFC6749] taking into account the recommendations given in [I-D.ietf-oauth-security-topics].

(3)

The state parameter defined in Section 4.1.1 of [RFC6749] may be used by a verifier to link requests and responses. Also see Section 3.6 and Section 5.3.5 of [RFC6819], and [I-D.ietf-oauth-security-topics].

(4)

The Wallet MUST ensure the data in the Authorization Response cannot leak through Response URIs. When using pre-registered Response URIs, the Wallet MUST comply with best practices for redirect URI validation as defined in [I-D.ietf-oauth-security-topics].

For (1), I think the layering should be the other way round: This draft can be implemented while following the security BCP.

For (2), the wording is a bit unclear: Does the definition in the draft already implement necessary precautions from the BCP (I think it doesn't) or should the reader look up and follow those?

For (2) (if applicable), (3) and (4), references to specific sections in the BCP should be added.

[Sakurann]

@danielfett good points. For 2, 3, and 4, would you be able to help with which are specific section in the BCP that should be referenced? For 1, changing on top of to alongside or something would probably work.