Dear authors, As per the IoT Dir request I will be providing a first review of draft-richardson-mud-qrcode-02. To my understanding the aim of the document is to provide the MUD URL as a QR code for devices that do not have MUD support. From the deployment point of view I suppose the process would be done for example via a deployment specialist that scans the code and transmits the URL from the phone device to the MUD Controller. As per 3.2.5 in some cases the MUD URL contains also the MAC of the device so that when the device connects, the network will recognise it (for example when using ARP or DHCP). That latter part by the way is a bit undefined at the moment, for example I am not familiar enough with LLDP or with how WLAN attach process but I think access points are supposed to know the MAC during the authentication process. The document focuses on how the MUD could be expressed as a SQRL code. I am not an expert on SQRL so I take it that the contents of Section 3.2 are correct. When the MAC is not included on the MUD URL then the assumption is that the network administrator is the one with physical access to the devices and can create the relevant policies. This comes with the caveat of what is then the purpose of the QR code if manual configuration is needed anyways. A naive attacker could read the QR code that contains the MAC, change its own MAC to that of the QR code and then impersonate the device effectively blacklisting that MAC address and preventing the actual device from attaching to the network in the future. Section 7 lists some of the attacks but I do not know if it is an exhaustive list, we probably should have a big disclaimer on the use of this devices and differentiate on the use cases (home, university, etc) as they have different deployment processes. I could not find editorial issues but I admit I was not terribly thorough in the review. I am missing MUD URL examples and more details on how the MUD controller operates when a MAC matching a scanned QR code arrives, perhaps that is part of another draft? As per request of the ISE: "The ISE would appreciate reviews from IoT and Operations experts to gather opinions on the document. In particular, the ISE would like to know whether publicaiton would be a bad idea or could be harmful to the Internet." I personally do not see any specific items on this draft that could be harmful to the general Internet. Some security issues are evident and affect the use of the QR code, but they have been described in the Security section. Ciao! -- Jaime Jiménez