I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG.  These comments were written primarily for the benefit of the security area directors.  Document editors and WG chairs should treat these comments just like any other last call comments.   Summary: Ready with one minor issue The only problem I had was working out what the authors meant by idempotent because the term is unfortunately used to mean different things. So the fact it is being used correctly here doesn't necessarily help the reader. The term is explained in rfc7252 but doesn't have an entry in the terms and definitions section. Where it is explained (sec 5.4) the explanation is consistent with HTTP practice. But I think it would help a lot if besides saying that the effect of doing the operation repeatedly, it was stated that the effect is that message replay doesn't have effect. Since it isn't defined in rfc7252 terms and definitions, it needs an entry in this draft and there should probably be an errata on rfc7252 so that it can be fixed on the next rev. It would be useful to point that out in the security considerations section as well.