caveat: I am not a security expert famliy with the deployment of the SCEP protocol. If an operational experience with this protocol is required for this review, I suggest you obtain a secondary review. General comments: The document summarizes in a readable fashion all the issues I could image regarding this protocol's deployment issues. Issues of scale and security have been examined. Editorial: p. 19, section 3.3.1, British spelling of authorization is used (authorisation). RFC editor may want to change or author may want to change to US spelling. p. 26 - I appreciate the use of non-idempotent and idempotent in this section. I hope this is normal language for the security area.