Reviewer: Leif Johansson Review result: Has issues I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. Review: Section 3.8 begins "A Channel defines a bi-directional communication channel". First of all it is probably a good idea avoid using the term you're defining in the definition. Also in the text a Channel is described as a URL with the cert or CA of the endpoint but in the channel object definition there is only a reference to the credentials which I understood to be the client authn credential and not the server identity. This leads me to a larger issue (which may be answered in another LMAP document for all I know): what is the authentication model for LMAP? Specifically, does LMAP assume the standard Web PKI for channel end- points? If not, then you probably need to specify how to validate the server cert which may lead you to want to represent a private CA (say) in the channel object. In any case the authentication model should be referenced from the Security Considerations section and clearly match the information model for channels. Cheers Leif