I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. Document editors and WG chairs should treat these comments just like any other last call comments. The Security Consideration section of this draft is fine, considering how high-level this document is, but I think there are some problems in the rest of the document as indicated below. This high-level document describes a general architecture for a reputation-based service and a model for requesting reputation-related data over the Internet. Minor Problems: Section 1: The last sentence of the first paragraph could be read to imply that lack of authentication is the primary cause of spam. In this era of botnets, I don't think that's true. Perhaps "... leads to spam, phishing, and other attacks." should say "... makes spam, phishing, and other attacks even easier than they would otherwise be." or something like that. Section 4.1.1: My guess is that the values of a "Rating" are floating point in the range 0.0 to 1.0 but it doesn't actually say that... If so, why isn't the example "1.0" said to indicate "exact agreement" or the like instead of "strong agreement"? Would 2.0 indicate "very strong agreement". Section 4.2: It appears that "Reputon" and "Response Set" are the same thing. Is that true? If so, my personal opinion is that, while the word "Reputon" may be cute, it should just be tossed as superfluous. Section 5: This section seems in some ways like the heart of the document but is also seems a bit blurry. Even at a high level, I would think that there could be an explicit cardinality associated with these bullet items. That is, it should say for each (or for all in the case it is the same for all of them) if they can be omitted, whether or not they must occur at least once, and if they can occur multiple times. Is "application context" the same as what quality is being rated? I would think not. For example, couldn't the application be "restaurant recommendation" and then couldn't there be, say, four ratings, one for food quality, one for price, one for decor, and one for service? If so, why isn't what the rating measures an additional bullet item or part of the rating score item? On the other hand, the rating score item says "overall rating score" implying there can only be one... Section 6: Suddenly, in this section, for the first time, we have the capitalized word "Target". Why isn't this defined in Section 4 on terminology and definitions? I suppose it means something like the pair of identity of the entity being rated and the application context? Trivia: Section 1: In paragraph 3 the definition of "reputation" uses the word "estimation" in an uncommon way that might confuse some readers. I think it could use something like the word "esteem" instead. The word "opinion" could also be used but would require minor corresponding changes. This occurs within quoted text that looks like it is copied from somewhere else. If so, shouldn't that source be referenced? Section3: The Figure 1 footer should be on the same page as the figure. Section 4.1: In the last sentence of the 2nd paragraph at the end of page 7, I would strongly prefer "specify" to "define" but that might be a personal quirk.