Thanks for your thoughtful comments Bing, responses are inline below:
On Thu, Dec 25, 2025 at 5:36 PM Bing Liu via Datatracker <[email protected]> wrote: > Document: draft-ietf-oauth-cross-device-security > Title: Cross-Device Flows: Security Best Current Practice > Reviewer: Bing Liu > Review result: Has Nits > > Hi Dear authors, I'm assigned to review > draft-ietf-oauth-cross-device-security-13 by OPSDir. > > # General status: Ready with Nits# > I read the latest -13 version, the draft contains very clear explanation > of the > cross-device flow patterns and relevant exploits analysis, and the > examples are > very practical and easy for readers to understand. I believe it is ready > with a > couple of nits as the following. > > # Small writing nits: > 1) In section 1.1, s/ there is no technical mechanisms/there are no > technical > mechanisms 2) Also section 1.1, s/Authorization device/Authorization > Device > (capital character issue) 3) In Section 1.1 and Section 6.2.1.2, the > reference > of Exploit 1 to Exploit 6 both appears as a “trunck”, maybe they need to > have > more concrete citing? > > I opened an issue to track the writing nits. (see https://github.com/oauth-wg/oauth-cross-device-security/issues/231) > # Suggestions on chapter organization > 1) The sub-sections in Section 3 and 4 are mostly aligned. But it is not > very > convenient for readers to read one Cross-Device Flow Pattern in Section 3 > and > then jump to the relevant Cross-Device Flow Exploit in Section 4. Would it > be > much easier to read if the content of Section 4 be integrated into Section > 3? > 2) The examples in Section 3/4 seem a bit random. If these are very > typical/common examples that could cover many/most of the application > scenarios, then it’s good. If not, maybe consider to move them into an > Appendix > chapter. > > Cross-device flows have found broad deployment, even in use cases we did not initially anticipate. The examples illustrate this diversity in real-world deployments to help practitioners identify the flows, assess exploits and deploy mitigations. Therefore, we should not move the examples to the appendix. Changing the document structure at this point in the document lifecycle by merging these sections may have unintended consequences and cause unanticipated confusion. Instead I propose we provide the reader with guidance on using sections 3 and 4 to aid them navigate between sections when needed (see https://github.com/oauth-wg/oauth-cross-device-security/issues/232) > Best regards, > Bing > > > > _______________________________________________ > OAuth mailing list -- [email protected] > To unsubscribe send an email to [email protected] >
_______________________________________________ OAuth mailing list -- [email protected] To unsubscribe send an email to [email protected]
