I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This document establishes a registry for Authentication Method Reference (amr) values used by the OpenID protocol and defines an initial set of such values. The amr claim is already defined and registered in IANA; this document serves to implement it. The amr provides a field in which information about the type of authentication being used is provided, using the amr values. The authors of the document address both security and privacy concerns, The privacy concern is that the amr claim provides information about the form of authentication used, which could have privacy implications in some cases, and that this document does not provide any guidance as to how privacy-relevant credentials, such as biometric information, are stored and protected. As the authors point out, the latter is beyond the scope of the document. The security concerns are mainly derived from those of the OpenID protocol. The authors also warn that amr may be more brittle than another related claim, acr, since acr provides information about whether a particular set of business rules were satisfied, while acm only tells you whether a particular type of authentication was used. This could lead to a policy that relies on particular forms of authentication, which would be harder to update as security needs change. I think that the authors have done a good job of addressing security and privacy concerns, and I don’t see any issues here. I consider this document ready. Cathy Meadows Catherine Meadows Naval Research Laboratory Code 5543 4555 Overlook Ave., S.W. Washington DC, 20375 phone: 202-767-3490 fax: 202-404-7942 email: catherine.meadows@nrl.navy.mil