Hi Pieter, Thanks for your reply and addressing my comments. Your replies sound reasonable and no problems from my side.
B.R. Bing From: Pieter Kasselman <[email protected]> Sent: Tuesday, December 30, 2025 4:21 AM To: Liubing (Leo) <[email protected]> Cc: [email protected]; [email protected]; [email protected]; [email protected] Subject: Re: [OAUTH-WG] draft-ietf-oauth-cross-device-security-13 ietf last call Opsdir review Thanks for your thoughtful comments Bing, responses are inline below: On Thu, Dec 25, 2025 at 5:36 PM Bing Liu via Datatracker <[email protected]<mailto:[email protected]>> wrote: Document: draft-ietf-oauth-cross-device-security Title: Cross-Device Flows: Security Best Current Practice Reviewer: Bing Liu Review result: Has Nits Hi Dear authors, I'm assigned to review draft-ietf-oauth-cross-device-security-13 by OPSDir. # General status: Ready with Nits# I read the latest -13 version, the draft contains very clear explanation of the cross-device flow patterns and relevant exploits analysis, and the examples are very practical and easy for readers to understand. I believe it is ready with a couple of nits as the following. # Small writing nits: 1) In section 1.1, s/ there is no technical mechanisms/there are no technical mechanisms 2) Also section 1.1, s/Authorization device/Authorization Device (capital character issue) 3) In Section 1.1 and Section 6.2.1.2, the reference of Exploit 1 to Exploit 6 both appears as a “trunck”, maybe they need to have more concrete citing? I opened an issue to track the writing nits. (see https://github.com/oauth-wg/oauth-cross-device-security/issues/231) # Suggestions on chapter organization 1) The sub-sections in Section 3 and 4 are mostly aligned. But it is not very convenient for readers to read one Cross-Device Flow Pattern in Section 3 and then jump to the relevant Cross-Device Flow Exploit in Section 4. Would it be much easier to read if the content of Section 4 be integrated into Section 3? 2) The examples in Section 3/4 seem a bit random. If these are very typical/common examples that could cover many/most of the application scenarios, then it’s good. If not, maybe consider to move them into an Appendix chapter. Cross-device flows have found broad deployment, even in use cases we did not initially anticipate. The examples illustrate this diversity in real-world deployments to help practitioners identify the flows, assess exploits and deploy mitigations. Therefore, we should not move the examples to the appendix. Changing the document structure at this point in the document lifecycle by merging these sections may have unintended consequences and cause unanticipated confusion. Instead I propose we provide the reader with guidance on using sections 3 and 4 to aid them navigate between sections when needed (see https://github.com/oauth-wg/oauth-cross-device-security/issues/232) Best regards, Bing _______________________________________________ OAuth mailing list -- [email protected]<mailto:[email protected]> To unsubscribe send an email to [email protected]<mailto:[email protected]>
_______________________________________________ OAuth mailing list -- [email protected] To unsubscribe send an email to [email protected]
