I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. It is well written, so only some editorial comments are below. #1 " 2.2. Authentication, Integrity, and Confidentiality ... 2.3. Authentication ... " Perhaps the Titles of 2.2 and 2.3 can harmonize better to explain why there are two "authentications" here. #2 " 6.2. Subtree Filter Components A subtree filter is comprised of XML elements and their XML attributes. There are five types of components that may be present in a subtree filter: o Namespace Selection o Attribute Match Expressions o Containment Nodes o Selection Nodes o Content Match Nodes ... " If a figure could be provided to describe the relationship among these 5 components and when it becomes what, it would be very helpful for readers to understand more easily. #3 " 6.2.3. Containment Nodes Nodes that contain child elements within a subtree filter are called "containment nodes". I would say "Child Elements Nodes" or "Child Nodes" might be a little bit more of straight forward than "Containment Nodes". #4 " 7.2. ... Parameters: ... merge: The configuration data in the parameter is merged with the configuration at the corresponding level in the target datastore. This is the default behavior. ... " Has the parameter been introduced before? Best Regards, Tina TSOU http://tinatsou.weebly.com/contact.html