I reviewed this document as part of the Security Directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the Security Area Directors. Document authors, document editors, and WG chairs should treat these comments just like any other IETF Last Call comments. Document: draft-ietf-lwig-curve-representations-08 Reviewer: Russ Housley Review Date: 2019-11-26 IETF LC End Date: unknown IESG Telechat date: unknown Summary: Has Issues Major Concerns: I am confused by the first paragraph in Section 10. It says that "An object identifier is requested ...", but then code points for COSE and JOSE (not object identifiers) are requested in the subsections. I am confused by the second paragraph in Section 10. It says that "There is *currently* no further IANA action required ...". Please delete this paragraph. Minor Concerns: Requirements Language section is out of date. It should reference RFC 8174 in addition to RFC 2119, as follows: The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here. Section 2 says: "... reuse of existing generic code ..."; I do not know what is meant by "generic". It either needs to be defined, reworded, or dropped. I note that elsewhere in the document "existing code" is used. I expected Section 9 to say something about public keys being unique identifiers of the private key holder. Some introduction text at the beginning of each Appendix would be very helpful. Please tell the reader what they will learn by delving into the subsections of the appendix. Nits: Section 4.2 says: "... at the end of hereof ...". This does not tell me anything useful. I suggest deleting this phrase. I suggest turning the numbered paragraphs in Section 5 into subsections.