Hello, I have reviewed this document as part of the Operational directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written with the intent of improving the operational aspects of the IETF drafts. Comments that are not addressed in last call may be included in AD reviews during the IESG review. Document editors and WG chairs should treat these comments just like any other last call comments. First, a big thanks to the authors for a decently-sized Security and Privacy Considerations section. I certainly found myself wanting to ask a lot of questions as I read through this, and these two aforementioned sections did a decent job of running through the considerations. I did, however, find the lack of normative language distracting, particularly in the face of the considerable security/privacy considerations conversation. If security and privacy are a base requirement, why is there no normative language to that end? As written, it seems completely wide open to the implementation - and maybe this is true even if there is normative language), and I think the document would be well served to consider modification to include normative language. Regards, Sarah