I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors.  Document editors and WG chairs should treat
these comments just like any other last call comments that arrive in
timely manner, and not significantly belated.

First of all - pls apologize for being very late with this review!

The field is also well outside my area of expertise which may make
my review moot.

My one comment is that the Security Considerations section identifies
the Session-ID as sensitive and sais that implementations SHOULD NOT
be assigned in a predictable manner. Given the security implications
of Session-ID forgery (also clearly stated in the SC section) it
might be worth recommending the use of a CSPRNG to generate
the Session-IDs

I'm curious about how this is done in implementations today though...

	Cheers Leif