I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This document describes how a user agent can establish a relationship with a push service (a subscription) and then share that distribution node information with various applications. As such, the document is well written and has a comprehensive security considerations section. The only slight concern I have is related to the authorization of receiving push messages. The technique used is essentially bearer tokens (knowledge of a URL). It therefore seems as if unintended sharing of such a capability URL could cause other user agents to get access to push notifications. I wonder if the work around token binding in TLS (holder-of-key tokens) could be applicable here, at least in the future. -- Magnus