I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This internet-draft describes an assertion framework for the OAuth 2.0 protocol. Given that that this is a framework, subsequent drafts would be needed for a deployed mechanism. The security considerations section does exist and outlines various issues including impersonation, replay, and privacy. The section then suggests ways of mitigating these threats. This seems sufficient, but can there be more guidance on the Assertion ID to avoid collision or replay (e.g. length, roll-over, etc.)? General comments: None. Editorial comments: Redundant wordings, suggested fix: Old:  An IEFT URN for use as the "XXXX" value can be requested using the template in An IETF URN Sub-Namespace for OAuth [ RFC6755 ]. New: An IEFT URN for use as the "XXXX" value can be requested using the template in [ RFC6755 ]. Shouldn't urn:ietf:params:oauth:grant_type:* be urn:ietf:params:oauth:grant-type:*? s/included yet all/included, yet all/ Shawn. --