I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG. Document editors and WG chairs should treat these comments just
like any other last call comments.

The primary goal of this BCP draft is to specify that OAuth 2.0
authorization requests from native apps  should only be made through
external user agents, primarily the user's browser, as opposed to an
embedded user-agent.


Security Considerations

This BCP is all at quite a high level. It talks about interprocess and
world wide web interactions to effectuate OAuth 2.0, mechanisms with
which I am not too familiar. But, all mechanism details are in other
documents.. The recommendations seem reasonable and the beginning of
the Security Considerations section paints a somewhat dismal security
picture compared with that typical of cryptographic or protocol
security.

As best I can tell, it is ready with trivial nits as listed below.


Minor

SSO is used multiple times but never expanded.


Trivial English Improvements

Page 13, Section 8.8
"for native apps to include" -> "that native apps include"

Page , Appendix B
"in an generic manner" -> "in a generic manner"

Page 19, Appendix B.4, 2nd paragraph
Last word of first line and first word of second line are duplicates.


Thanks,
Donald
===============================
 Donald E. Eastlake 3rd   +1-508-333-2270 (cell)
 155 Beaver Street, Milford, MA 01757 USA
 d3e3e3@gmail.com