I have reviewed this document as part of the security directorate's  ongoing effort to review all IETF documents being processed by the  IESG.  These comments were written primarily for the benefit of the  security area directors.  Document editors and WG chairs should treat  these comments just like any other comments. This document is ready. I have one minor suggestion (see below), but the document appears seems ready for publication. This is the architecture and requirements document associated with OAUTH 2.0 Proof of Possession (see  draft-ietf-oauth-proof-of-possession and draft-ietf-oauth-pop-key-distribution). The use-cases (and associated security concerns) that motivate proof of possession mechanisms are clearly laid out in the document, as our the security requirements for an acceptable proof of possession mechanism. The document assumes knowledge of RFC 6819 -- the OAUTH 2.0 Threat Model and Security Considerations. (In particular, the architectural assumptions, security properties and threat model laid out in 6819 seem vital to understanding the security requirements in this document.) Therefore, I would like to see an explicit reference to 6819 in the Security Considerations section of this document. That is, it would be helpful to make clear that the Threat Model and Architectural Assumptions in 6819 apply to this document. - Matt Lepinski