I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors.  Document editors and WG chairs should treat these comments just like any other comments. 

- It is clear that Section 10 and Section 11 are intended to be normative since they contain capitalized keywords (e.g., "SHOULD"). However, it is not clear to me if Section 9 is intended to be normative or informative. There are several lower-case "should" in Section 9 which makes me suspect that the Section is informative, but would be good to clarify.

- Security Considerations: This section contains the following text: "To prevent a bogus PCE from sending harmful messages to the network nodes, the network devices should authenticate the validity of the PCE and ensure a secure communication channel between them.  Thus, the mechanisms described in [RFC8253] for the usage of TLS for PCEP and [RFC9050] for malicious PCE should be used." Firstly, did this intend to just say "authenticate the PCE"? I am not sure what "authenticate the validity" means, and it seems that authentication of the PCE should suffice (assuming that it, after having been authenticated, can be identified as a valid PCE)? Secondly, did the second sentence intend to state "... and [RFC9050] for protection against malicious PCEs should be used"? Thirdly, was that last "should" intented to be lower-case (i.e., informative)?

Thanks,
Magnus