I have reviewed this document as part of the security directorate's 
ongoing effort to review all IETF documents being processed by the 
IESG.  These comments were written primarily for the benefit of the 
security area directors.  Document editors and WG chairs should treat 
these comments just like any other last call comments.


This document describes the extensions to ACME to allow for a third party Token Authority also act as the authority and authorization of entities to control a resource; the use case and motivating scenario described in the draft is for a telephone authority to be the authority for creating CA types of certificates for (STIR) delegation.  The document assumes full knowledge of a set of drafts and is straightforward.  I only have a couple of nits but otherwise I think it is ready.


NITs:
Section 5.2: the "exp" claim is mute on SHOULD vs MUST, it seems that you would want to have such a claim so minimally a SHOULD?

Section 5.3: is this optional, may or must?

Section 5.4: personal nit, the section should specify this claim to be a MUST, it is implicitly stated but would prefer it to be explicit.

Section 6: 
 -I presume that "verify the atc field" is actually verifying that the TNAuthList token is valid?