I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. In summary: one issue Overall the document seems ok and well written to me but for one thing: the lack of normative language in section 4. The explanation that this is because of a lack of clear behavioral distinction between browser input boxes and URI parsers seems a bit weak to me. I don't understand why it isn't desirable to write down normative language for the behavior of one of these cases (URI parsers) even if the other (input boxes) can't be specified. This phrasing caught my eye: "It is desirable for all URI parsers to recognise a zone identifier according to the syntax defined in Section 3." Since the bulk of the I-D is in section 3, why not make this normative language along the lines of "URI parsers implementing this specification MUST recognize zone identifiers according to the syntax in section 3."? The fact that not all browsers choose to do so is a separate issue. Also this: "It is desirable for all URI parsers to recognise a zone identifier according to the syntax defined in Section 3.". We already know this is not the case but isn't it better to have a document that clearly defines the behavior for those browsers who choose to implement this I-D?