I have reviewed this document as part of the SEC area directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the Security area directors. Document editors and WG chairs should treat these comments just like any other last-call comments. Major issues: The document does not introduce any new algorithms, protocols, or significant extensions to JMAP, WebPush, or VAPID. There is a section on Key Rotation Process which is specified in RFC8292. It seems that the document should be "Informational" instead of Standard track, correct? The security considerations of the document seem to primarily reiterate general concerns from related RFCs such as JMAP (RFC8620), WebPush (RFC8030), and VAPID (RFC8292). However, the document appears to lack a detailed exploration of security issues specific to the integration of VAPID with JMAP WebPush. Below are potential security risks that deserve some discussion: - The risk of race conditions if clients and servers are out of sync during the key rotation process. - The document does not address the potential risks associated with the exposure of the urn:ietf:params:jmap:webpush-vapid property in the JMAP capabilities object. Best Regards, Linda Dunbar