Hello, I have reviewed draft-ietf-kitten-gssapi-naming-exts as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This draft extends the GSS-API naming model to include support for "name attributes". This support can be used by an application to make authorization decisions. I found no problems in the draft that the ADs should take special note of. The draft is well-written and introduces and uses terminology well, with one nit. It introduces terms with certain marking and then uses them either without the marking (which is fine) or with some other marking. For instance, "An attribute is 'authenticated' iff...." and then the concept of an authenticated attribute is used without the single quote. But sometimes attributes "MUST be represented as *authenticated* GSS-API name attributes named using the _same_ OID mapped to a URN." OK, so what's the significance of the asterisks now? And the underscore? I found no value in these marks and suggest removing them. If the authors intend for the marks to convey some meaning then perhaps a Notations section is in order. One last nit: Section 6.2.1 refers to "(see comment above)" which should be "(see Section 5)". regards, Dan.