Hello, I have reviewed this document as part of the security directorate’s ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors.  Document editors and WG chairs should treat these comments just like any other last call comments. Summary: ready with minor issues This document records the SHA-256 variants of SCRAM SASL mechanisms. As it complements RFC 5802, the authors refer to its security section:    "The security considerations from [RFC5802] still apply." I have no objection as RFC 5802 security section seems well documented (I'm not an expert of the domain however). That being said, I have two comments: - there is no mention of the motivation for moving from SHA-1 to SHA-256.   I think the security section is a nice place for that, and the authors can easily   refer to RFC 4270 and RFC 6194 (there may be other references too that   I’m not aware of). - RFC 2119 is missing from the Normative References. Please add it.    [R2119]  Bradner, S., "Key words for use in RFCs to Indicate             Requirement Levels", BCP 14, RFC 2119, March 1997.   I also think that RFC 4422 should be moved to the Normative References   as it is a mandatory to read reference for the present document. Cheers,   Vincent Attachment: signature.asc Description: Message signed with OpenPGP using GPGMail