I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG.  These comments were written primarily for the benefit of the security area directors.  Document editors and WG chairs should treat these comments just like any other last call comments.

The summary of this review is Ready with Nits. The spec itself seems straightforward, but some of the text could be clarified.

I'm a little confused about this:

> Since IM clients could be very numerous, operators are reticent to issue
> certificates for these users that might accidentally be used to validate a
> TLS connection because it has the KeyPurposeId id-kp-serverAuth or
> id-kp-clientAuth.

First, what is an "operator" in this context?

Second, is the worry that CAs might sign a certificate with the wrong KeyPurposeId? I'm unsure how this specification would prevent that. Or is it that absent this new purpose, there's nothing preventing a certificate from being used in both contexts, creating cross-protocol attack risks (as outlined in section 6 of RFC 9336)?

It seems like this works only if every validator enforces a proper value for KeyPurposeId in received certificates, in which case this is just another purpose to be added to the registry so IM clients have a unique KeyPurposeId to check for. Is that right?

This text could use some wordsmithing:

> This specification defines the KeyPurposeId id-kp-imUri, which MAY be used
> for signing messages to prove the identity of an Instant Messaging client.

I don't think the KeyPurposeId is used for signing messages. You might want something like "This specification defines the KeyPurposeId id-kp-imUri, which MAY be included in certificates used to prove the identity of an Instant Messaging Client." Though I think to deal with the above concern, the entire certificate ecosystem MUST enforce the presence of an appropriate value. I wonder if the normative language even needs to be here, versus in the protocol specification.