I am the assigned Gen-ART reviewer for this draft. The General Area Review Team (Gen-ART) reviews all IETF documents being processed by the IESG for the IETF Chair. Please treat these comments just like any other last call comments. For more information, please see the FAQ at . Document: draft-ietf-oauth-cross-device-security-13 Reviewer: Paul Kyzivat Review Date: 2025-12-16 IETF LC End Date: 2025-12-16 IESG Telechat date: ? Summary: This draft is on the right track but has open issues, described in the review. Major issues: (1) 1) ISSUE: Confusing diagrams Sect1ons 3.1.*, 3.2.1, 4.n.* contain flow diagrams that support the text. I found the text to be clearer than the diagrams. Particularly, I found the bidirectional arrows confusing; and also the looping arrows (User Start Flow). If I read the text description first, and use the diagram as support, then it seems ok. But, because the diagrams appear before the text description, I first spent time trying to understand the diagrams, and being confused by them, before reading the description. Also, as an example, in 3.1.1, step (C) involves two actions by separate actors: (C1) consumption device displays the QR code, and (C2) User uses the authentication device to scan the QR code. The diagram doesn't show the user involvement in this step. I won't try here to enumerate all such problems. I'll leave that for you. But I'm willing to do a more detailed analysis if you wish. I do think it is important for the reader to understand these, so I think it is worth some effort to make these diagrams clearer. Nits/editorial comments: 3 1) NIT: Missing definitions: phishing & social engineering The terms "phishing" and *social engineering* are used extensively in this document. They are in common use, and most readers of this document can be expected to have some understanding of them. But they might not all have the same definitions. I think it would be a good idea for you to provide your own definitions, or cite some. 2) NIT: Possible downrefs IdNits reports several possible downrefs to normative non-RFC documents: [CIBA], [CAEP], [SSF], [W3CWebAuthn], [FIDOCTAP22], [IEEE802154] These are probably fine. But I'm not sure that any of these need to be *normative* references, as they are all used as examples. Consider making them non-normative. The few other things reported by IdNits are bogus. 3) Comment: (I don't think this is an issue or a nit, but do want to make the point.) Throughout the document QR codes and PIN codes are discussed as roughly equivalent. But QR codes carry much more potential risk, because dereferencing the URL in a QR code can cause almost anything to happen, without the user knowing. So a cross-device flow that is designed to use a QR code can have the effect of desensitizing the user to the potential risk of scanning a QR code that is received in the context of a fishing attackg. I'm not sure what, if anything, this document should do about this. Perhaps there should be another document: QR Code Security Best Practices.