I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments.

This is an early review that was requested on Nov 21 with a due date of the same day. I hope this is still useful given that a few weeks have passed.

From the abstract, "This specification defines how multiple Security Event Tokens (SETs) can be delivered to an intended recipient using HTTP POST over TLS." SETs are defined in RFC 8417, and delivery of a SET via TLS/HTTP is defined in RFC 8935. This document extends 8935 by allowing delivery of more than one SET in a single message.

I think the document is generally progressing well. I have one minor comment: I think the security considerations section should begin by stating that all security considerations of 8417 and 8935 apply to this document. This document's security considerations subsection 7.6 explicitly calls out "Section 5 of [RFC8935]", but this might lead a reader to conclude that this is the only 8417/8935 security consideration that applies to this document.