diff --git a/protocol/protocol.pdf b/protocol/protocol.pdf
index 7328d48..09f63e9 100644
Binary files a/protocol/protocol.pdf and b/protocol/protocol.pdf differ
diff --git a/protocol/protocol.tex b/protocol/protocol.tex
index f9a5211..84b0031 100644
--- a/protocol/protocol.tex
+++ b/protocol/protocol.tex
@@ -625,7 +625,7 @@
 \newcommand{\concern}[1]{\eli{Concern}{#1}}
 \newcommand{\reorder}[1]{\eli{Suggested reordering}{#1}}
 \newcommand{\improve}[1]{\eli{Suggested improvement}{#1}}
-
+\newcommand{\general}[1]{\eli{General comment}{#1}}
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 %%% end Eli macros
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
@@ -644,6 +644,8 @@
 
 
 \nsection{Introduction}
+\general{Who is the intended reader of this document? Someone who wishes to build a node/miner/wallet?
+In particular, what's the relation between this document and the existing code?}
 \Zcash is an implementation of the \term{Decentralized Anonymous Payment}
 scheme \Zerocash \cite{BCG+2014}, with some security fixes and adjustments
 to terminology, functionality and performance. It bridges the existing
@@ -682,7 +684,10 @@ This specification is structured as follows:
 
 \nsubsection{Caution}
 
-\concern{Shouldn't this document, or even this section, contain some legal boilerplate suggested by ZECC legal counsel?}
+\concern{Shouldn't this document, or even this section, also contain some legal boilerplate suggested by ZECC legal counsel?
+This could prevent readers from claiming wrong-doing because of internal inconsistencies in the paper and/or inconsistencies
+between this paper and the released code (DAO should serve as a reminder of the potential outcomes of such discrepancies).}
+
 
 \Zcash security depends on consensus. Should a program interacting with the
 \Zcash network diverge from consensus, its security will be weakened or destroyed.
@@ -714,7 +719,7 @@ were called ``serial numbers''.},
 which specify an amount and a \payingKey. The \payingKey is part of
 a \paymentAddress, which is a destination to which \notes can be sent.
 As in \Bitcoin, this is associated with a private key
-\typo{private key->spending key here? This would
+\typo{private key perhaps should be spending key here? This would
 remove the need for last snippet in this paragraph}
 that can be used to
 spend \notes sent to the address; in \Zcash this
@@ -1027,14 +1032,23 @@ As in \Bitcoin, the remaining value in the pool is
 available to miners as a fee. \reorder{This last paragraph should likely go elsewhere, it stops the
 discussion of trees and feels out of place here.}
 
-An \anchor is a Merkle tree root of a \noteCommitmentTree. \question{Later (page 23)
-an anchor is defined as one of two possible things, please clarify} It uniquely identifies
+An \anchor is a Merkle tree root of a \noteCommitmentTree.
+\question{In \crossref{joinsplitencoding} an anchor is defined as one of two possible things, needs clarification. See suggestion next.}
+\improve{Given a sequence $S=(c_1,\ldots, c_n)$ of coin commitments, let $h(S)$ be its Merkle-tree based hash.
+Given a transaction containing an ordered sequence $JS_1,\ldots, JS_m$ of JoinSplit descriptions,
+an \anchor is defined inductively thus: the anchor of $JS_1$ must be $h(S_1)$ for some prefix $S_1$ of the block-chain
+and for $i\in \{2,\ldots, m\}$ an \anchor is $h(S_i)$ where $S_i$ must be either some prefix of the block-chain,
+or a sequence $S_{i'}\circ JS_{i'}$ for some $i'<i$ where $\circ$ denotes sequence-concatenation.}
+It uniquely identifies
 a \noteCommitmentTree state given the assumed security properties of the Merkle tree's
 hash function. Since the \nullifierSet is always updated together with the
 \noteCommitmentTree, this also identifies a particular state of the \nullifierSet.
 
 In a given node's \blockchainview, \treestates are chained \question{What does chained mean?
-I think you want to say ``defined inductively'' instead}
+I think you want to say ``defined inductively'' instead. }
+\improve{Since there is a unique mapping from a sequence (of blocks/transactions) to a hash,
+I think it would simplify things to explain once this mapping, later talk about $HASH(sequence)$,
+this can simplify, e.g., the interstitial JS reference.}
 as follows:
 
 \begin{itemize}
@@ -1102,12 +1116,7 @@ Blocks in the \blockchain are associated (by all nodes) with the \merkleRoot of
 after all of its constituent \joinSplitDescriptions' \noteCommitments have been
 entered into the \noteCommitmentTree associated with the previous \block.
 \todo{Make this more precise.}
-\question{Is this what's going on: each transaction corresponds to
-a Merkle tree of a fixed depth (what is it?) that is
-created by a \emph{payer}; later on, \emph{miners} place
-the roots of these trees at leaves of the block-chain tree. Notice the
-length of authentication paths will thus be the sum of depths of
-the two trees.}
+\improve{Using the deterministic mapping from a sequence to a hash value can help simplify exposition here.}
 
 Each \merkleNode in the \incrementalMerkleTree is associated with a \merkleHash of
 size $\MerkleHashLength$ bytes.
@@ -1130,7 +1139,10 @@ it would otherwise result in a double-spend.
 
 \nsubsection{Block Subsidy and Founders' Reward} \label{subsidyconcepts}
 
-Like \Bitcoin, \Zcash creates currency when \blocks are mined. The value created on
+Like \Bitcoin, \Zcash creates currency when \blocks are mined.
+\typo{At some point in time this
+subsidy ends, right? the sentence above implies subsidy continues indefinitely}
+The value created on
 mining a \block is called the \blockSubsidy. It is composed of a \minerSubsidy and a
 \foundersReward. As in \Bitcoin, the miner of a \block also receives \transactionFees.
 
@@ -1483,8 +1495,10 @@ where
         a key agreement public key, used to derive the key for encryption
         of the \notesCiphertext (\crossref{inband})};
   \item \changed{$\RandomSeed \typecolon \RandomSeedType$ is
-        a seed that must \typo{hmm, its not clear how to enforce
-this, so perhaps must-> should} be chosen independently at random for each
+        a seed that must
+        \typo{its not clear how to enforce
+this, so perhaps must $\to$ should}
+be chosen independently at random for each
         \joinSplitDescription};
   \item $\h{\allOld} \typecolon \typeexp{\PRFOutput}{\NOld}$ is
         a sequence of tags that bind $\hSig$ to each
@@ -2029,7 +2043,7 @@ sequences.
 \securityrequirement{
 \typo{It sounds strange to require something that is formally
 false ($\SHA$ is a fixed function so cannot be
-formally collision resistant). How about requirement->assumption?}
+formally collision resistant). How about requirement $\to$ assumption?}
 $\SHA$ must be collision-resistant, and it must be infeasible to find a preimage $x$
 such that $\SHA(x) = \zeros{256}$.
 }
@@ -3080,13 +3094,20 @@ $\MaxBlockSubsidy$, and $\FoundersFraction$ are instantiated in \crossref{consta
 \todo{Any tx with a coinbase input must have no \transparent outputs (vout).}
 
 The \foundersReward is paid by a \transparent output in the \coinbaseTransaction, to
-one of $\NumFounderAddresses$ \transparent addresses, depending on the \blockHeight.
+one
+\typo{any one? presumably there will be some deterministic schedule according to which payments are rotated?}
+of $\NumFounderAddresses$ \transparent addresses, depending on the \blockHeight.
+\question{what about miner subsidy? How is it paid?}
+\concern{This is one section that the legal team should look at. What happens if things change
+in the code, what's the correct version --- this paper or the code (recall DAO)?}
 
 Let $\SlowStartShift$ be defined as in the previous section.
 
 \renewcommand{\arraystretch}{0.95}
 
 For mainnet, $\FounderAddressList_{\mathrm{1}..\NumFounderAddresses}$ is \todo{}.
+\question{This description refers to a static list that is not updated with time.
+How will changes in ownership among stakeholders going to be reflected in this process?}
 
 For testnet, $\FounderAddressList_{\mathrm{1}..\NumFounderAddresses}$ is:
 
@@ -3130,7 +3151,9 @@ transaction type of the cryptocurrency on which it is based
 
 In \Zcash, there is only the original \Bitcoin transaction type,
 which is extended to contain a sequence of zero or more
-\Zcash-specific operations.
+\Zcash-specific operations. \typo{In many places (like the paragraph above) it would be
+better to talk about \emph{Basecoin} instead of \Bitcoin because the latter refers also to a particular
+payment system that is currently separated from \Zcash.}
 
 This allows for the possibility of chaining transfers of \xprotected
 value in a single \Zcash \transaction, e.g.\ to spend a \protectedNote