Hello,

I have reviewed this document as part of the security directorate’s ongoing
effort to review all IETF documents being processed by the IESG. These
comments were written primarily for the benefit of the security area
directors. Document editors and WG chairs should treat these comments just
like any other last call comments.

Summary: not ready

Globally, the security considerations section addresses all topics that come to my mind, given my understanding.
The only comment I have is WRT the last paragraph of section 18.1. The wording: "Excluding this claim", seems ambiguous to me since I don't understand if it refers to the "rcdi claim" or "an entry in mustExclude". Also, I don't understand the core problem (why does a mustExclude tag compromize integrity protection). I think the issue deserves more details. Finally, isn't "MUST NOT" more appropriate than "SHOULD NOT" since the consequences of not following this rule are major.

A few, minor, additional comments:
- Section 18, 1st sentence: s/its identities/it is identities/
- Section 18, 2nd paragraph: I don't understand "over in a using protocol", please fix typo.
- Section 18, 3rd paragraph: s/availbility/availability/

Cheers,

Vincent