I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. The summary of the review is Ready. This document is a straightforward update of RFC 5653: 1. The draft modifies GSSException to support an embedded error token; as specified in RFC 5653 a JGSS application throwing a GSSException could not return an error token, a functional shortcoming in comparison with the C bindings of GSS-API (see RFC 2744). The embedded error token corrects this shortcoming. The document describes a compatibility strategy for new JGSS programs that run with both RFC5653 and RFC5653bis Java bindings. 2. The draft removes stream-based GSSContext methods. These methods cannot be implemented correctly where tokens have no self-framing or the library has no knowledge of the token format. The document states that applications using input and output streams as the means to convey authentication and per-message GSS-API tokens should also define the wire protocol. The reviewer infers that new applications using this design strategy should be compatible with RFC5653 bindings, but that is not explicitly stated.