I am an assigned INT directorate reviewer for
draft-ietf-regext-rdap-openid. These comments were written primarily for
the benefit of the Internet Area Directors. Document editors and shepherd(s)
should treat these comments just like they would treat comments from any other
IETF contributors and resolve them along with any other Last Call comments that
have been received. For more details on the INT Directorate, see
<https://datatracker.ietf.org/group/intdir/about/>.

In Registration Data Access Protocol (RDAP) completed in 2015 a federated authentication service was up to now still undefined/unspecified - as already stated in RFC7481 on RDAP security services pointinhg already to OAuth authorization framework and OpenID as single sign-on authentication system. The mechanism proposed in this draft fills the gap and refers to 3 PoC implementations based on earlier versions. It would be great if also a reference implementation to a more recent version could be provided IMO.

Overall the document seems quite complete and elaborated in version 25 to me and even only few very minor nits have been found:
- mentioned "out-of-band" source, method, mechanism refers to entities outside the described RDAP system here, right? Not sure whether this usage of the term might be clarified...
- re-using vs. reused: this should be used consistently IMO
- (e.g. xyz => (e.g., xyz

Thanks to the author and all contributors!
Best regards
Dirk