Reviewer: Matthew Miller Review result: Ready with Issues IETF LC End Date: N/A IESG Telechat date: 2018-05-10 Summary: Ready with a potential issue. Major issues: N/A Minor issues: In reading the client's processing of the server's "token_binding" extension, there seems to be the potential for falling through the cracks with regards to version: * client MUST terminate the TLS handshake if the server's TB_version is greater than the client's highest supported * client (MUST? SHOULD? MAY?) continue the TLS handshake **without Token Binding** if the server's TB_version is not one the client is willing to use (e.g., lower than the client's minimum acceptable version) As written, it seems that a client that requires token binding has to finish TLS negotiation, then reject further interactions at the application level, but it's not clear this is the expected or best approach. I think it's worth adding at least some language about this scenario. Nits/editorial comments: N/A