I am the assigned Gen-ART reviewer for this draft. For background on Gen-ART, please see the FAQ at < http://wiki.tools.ietf.org/area/gen/trac/wiki/GenArtfaq>. Please resolve these comments along with any other Last Call comments you may receive. Document: draft-dukhovni-opportunistic-security-01 Reviewer: Martin Thomson Review Date: 2014-07-08 IETF LC End Date: 2014-08-05 IESG Telechat date: (if known) Summary: This reads a little like it was rushed. This needs some work before it can be considered ready. (I've cc'd saag here. That seemed appropriate, strip as you see fit.) Major issues: This misses one of the key principles behind opportunistic security: Insistence on failure, as opposed to downgrade or some lesser level of security - a characteristic of non-opportunistic security - elicits responses from users to work around the problem (accept the bad certificate, suppress certificate checking, etc...). The willingness of an opportunistic security implementation to accept unvalidated credentials means that it still benefits from resilience against passive attack. This is only really noted through an example of a "design blunder". In general, a more careful consideration of the document structure is needed. The document skirts around it's key goal: defining OS. Section 2 needs to start with a definition. The paragraph that follows the list in S2 is a reasonable attempt at that and could be tweaked fairly perform that function. The Security Considerations is a response to an unstated argument, but I think that the document needs to be clearer about what that argument is, i.e.: The willingness of an OS implementation to downgrade can be trivially exploited by an active attacker to strip an opportunistic mechanisms. The point that is made here is one that is most applicable in the aggregate, something that is implied by "users" (in the plural form), but should be explicit. Minor issues: Section 3 is unnecessary in its entirely: 1. 2119 language isn't really appropriate for this document. Many of the statements that rely on this would be much better without that language. Some of the uses are actually completely inappropriate: "When possible, opportunistic security SHOULD provide stronger security on a peer-by-peer basis." 2. I think that the description of "unauthenticated encryption" and "TOFU" belong in the text proper. TOFU is covered well enough by the text in S1; unauthenticated encryption needs to be covered in the description as a first class section, rather than piecemeal (see above). MitM and PFS are defined in RFC4949. Nits/editorial comments: References are double-bracketed "([ref])" and the "pervasive monitoring (PM[RFC7258])" reference doesn't need the "PM".