Thanks Mike, I agree with your comments and opened issues to address them (see inline for details)
Cheers Pieter On Wed, Jan 21, 2026 at 7:49 PM Mike Bishop via Datatracker < [email protected]> wrote: > Mike Bishop has entered the following ballot position for > draft-ietf-oauth-cross-device-security-14: Yes > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut this > introductory paragraph, however.) > > > Please refer to > https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ > for more information about how to handle DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-oauth-cross-device-security/ > > > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > This is a well-done document, and I enjoyed reading it. I do support > Roman's > DISCUSS about overuse of normative language, and include a very few > comments > below. > > # IESG review of draft-ietf-oauth-cross-device-security-14 > > CC @MikeBishop > > ## Comments > > ### Section 3.1.3, paragraph 9 > ``` > * (F) The Authorization Server issues tokens or grants authorization > to the Consumption Device to access the user's resources. > ``` > I quibble slightly with the direction of this arrow in the diagram, or > perhaps > with the absence of an extra arrow. Presumably > the Consumption Device presents the Authorization Data, which then results > in > access being granted? (Compare to F/G in the Figure in 3.2.1.) > An extra arrow would add clarity, I will add it (see https://github.com/oauth-wg/oauth-cross-device-security/issues/260) > > ### Section 5, paragraph 9 > ``` > if it detects that the same device is used. An authorization server > may use techniques such as device fingerprinting, network address or > other techniques to detect if a cross-device protocol is being used > on the same device. If an implementor decides to use a cross-device > ``` > NAT might cause this to be misidentified. > We can add that as extra information: Tracking issue here: https://github.com/oauth-wg/oauth-cross-device-security/issues/261 > ## Nits > > All comments below are about very minor potential issues that you may > choose to > address in some way - or ignore - as you see fit. Some were flagged by > automated tools (via https://github.com/larseggert/ietf-reviewtool), so > there > will likely be some false positives. There is no need to let me know what > you > did with these suggestions. > > ### Section 10, paragraph 1 > ``` > Jim Fenton and Bing Liu and others (please let us know, if you've > been mistakenly omitted) for their valuable input, feedback and > ``` > Probably about time to remove the parenthetical. The door is closing. > > ### Grammar/style > > #### Section 1.2, paragraph 1 > ``` > other artifacts that allow them to setup a session and then use it to > access > ^ > ``` > > artefact -> artifact, one other place as well > > #### Section 1.2, paragraph 1 > ``` > other artefacts that allow them to setup a session and then use it to > access > ^^^^^ > ``` > The verb "set up" is spelled as two words. The noun "setup" is spelled as > one. > > #### Section 3.1, paragraph 8 > ``` > mption Device. Note: The use of a 6 digit code is illustrative and reflects > ^^^^^^^ > ``` > When "6-digit" is used as a modifier, it is usually spelled with a hyphen. > > #### Section 3.3.2, paragraph 1 > ``` > ransfer Pattern) An employee is signed into an application on their > personal > ^^^^^^^^^^^ > ``` > The verb "signed into" is not standard English, except in the context of > the > law ("The bill was signed into law"). Write "signed in to". For websites > and > computers, other options are "logged in to" or "logged on to". > > #### Section 3.3.2, paragraph 1 > ``` > which results in the user being signed into the application on the mobile > p > ^^^^^^^^^^^ > ``` > The verb "signed into" is not standard English, except in the context of > the > law ("The bill was signed into law"). Write "signed in to". For websites > and > computers, other options are "logged in to" or "logged on to". > > #### Section 4.1.1, paragraph 3 > ``` > quest and thereby convince them to granting authorization. The social > enginee > ^^^^^^^^ > ``` > The verb after "to" should be in the base form as part of the > to-infinitive. A > verb can take many forms, but the base form is always used in the > to-infinitive. > > #### Section 4.1.2, paragraph 3 > ``` > for users and convincing users to providing them with authorization data > sent > ^^^^^^^^^ > ``` > The verb after "to" should be in the base form as part of the > to-infinitive. A > verb can take many forms, but the base form is always used in the > to-infinitive. > > #### Section 4.2, paragraph 2 > ``` > ed Session Pattern) These exploits applies to the use case described in > Secti > ^^^^^^^ > ``` > You should probably use "apply". > > #### Section 5, paragraph 7 > ``` > network. Though physically in close proximity, they don't share a > network, s > ^^^^^^^^^^^^^^^ > ``` > This phrase is a bit redundant. Consider using just "proximity". > > #### Section 5, paragraph 8 > ``` > can be established by comparing geo-location information derived from > global > ^^^^^^^^^^^^ > ``` > This word is normally spelled as one. > > #### Section 6.1, paragraph 4 > ``` > duced by making QR or user codes short lived. If an attacker obtains a > short > ^^^^^^^^^^^ > ``` > This word is normally spelled with a hyphen. > > #### Section 6.1, paragraph 4 > ``` > lived. If an attacker obtains a short lived code, the duration during which > ^^^^^^^^^^^ > ``` > This word is normally spelled with a hyphen. > > #### Section 6.1.1, paragraph 1 > ``` > cks counter the effectiveness of short lived codes by convincing a user to > re > ^^^^^^^^^^^ > ``` > This word is normally spelled with a hyphen. > > #### Section 6.1.1, paragraph 1 > ``` > ency requirements, in which case short lived tokens may be more practical. > O > ^^^^^^^^^^^ > ``` > This word is normally spelled with a hyphen. > > #### Section 6.1.1, paragraph 2 > ``` > the same code to be presented a small number of times. 6.1.4. Unique Codes > ^^^^^^^^^^^^^^^^^ > ``` > Specify a number, remove phrase, use "a few", or use "some". > > #### Section 6.1.1, paragraph 3 > ``` > al to the lifetime of a token if short lived/timebound tokens are used > (see S > ^^^^^^^^^^^ > ``` > This word is normally spelled with a hyphen. > > #### Section 6.1.1, paragraph 5 > ``` > tion endpoint (see [RFC7662]). In addition it may notify resource servers > to > ^^^^^^^^ > ``` > A comma may be missing after the conjunctive/linking adverb "addition". > > #### Section 6.1.3, paragraph 2 > ``` > they are using a trusted device. Short lived tokens do not prevent or > disrupt > ^^^^^^^^^^^^ > ``` > This word is normally spelled with a hyphen. > > #### Section 6.1.6, paragraph 1 > ``` > key, even if it is in hardware. Consequently the main protection derived > from > ^^^^^^^^^^^^ > ``` > A comma may be missing after the conjunctive/linking adverb "Consequently". > > #### Section 6.1.17, paragraph 1 > ``` > as a roaming authenticator for signing into the primary device, such as a > p > ^^^^^^^^^^^^ > ``` > The verb "signing into" is not standard English, except in the context of > the > law ("The bill was signed into law"). Write "signing in to". For websites > and > computers, other options are "logging in to" or "logging on to". > > #### Section 6.2.2.3, paragraph 1 > ``` > 2020], Pernpruner et al. formally analysed an authentication protocol > relyin > ^^^^^^^^ > ``` > Do not mix variants of the same word ("analyse" and "analyze") within a > single > text. > > #### Section 6.2.3.2, paragraph 1 > ``` > ess these attacks, we propose a three pronged approach that includes the > depl > ^^^^^^^^^^^^^ > ``` > This word is normally spelled with a hyphen. > > #### Section 6.2.3.4, paragraph 1 > ``` > g Liu and others (please let us know, if you've been mistakenly omitted) > for > ^^^^ > ``` > If " if" starts an indirect question, you do not need to put a comma > before it. > > Nits issues: https://github.com/oauth-wg/oauth-cross-device-security/issues/262 > > > _______________________________________________ > OAuth mailing list -- [email protected] > To unsubscribe send an email to [email protected] >
_______________________________________________ OAuth mailing list -- [email protected] To unsubscribe send an email to [email protected]
