I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. Summary: ready with issues The Security Considerations (section 5) appears incomplete. The next-to-last paragraph of the Security Considerations text is: Partial list of issues to be addressed in this section: Privacy, SAML, Trust Anchors, EAP Algorithm Selection, Diameter/RADIUS/AAA Issues, Naming of Entities, Protection of passwords, Channel Binding, End-point-connections (TLS), Proxy problems The bulk of the Security Considerations adequately describes the security properties of the different communication channels. Section 4 is Privacy Considerations, so maybe just make a cross-reference to it in Security Considerations? If the other listed "to be addressed" security considerations are already described elsewhere in the document, possibly summarize them in section 5 and provide cross-references? The final paragraph of section 5 describes privacy considerations related to reverse engineering of pseudonyms, but this text seems to be logically disconnected from the rest of the section. Maybe it belongs in section 4?