Hi,

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors.  Document editors and WG chairs should treat
these comments just like any other last call comments.



This is actually a re-review of this document.  It appears that James 


addressed most of my editorial comments from that review and I'm happy 


with the results.






James has separated out the components of the option described in -15 (the 


one I had previously reviewed) into two options in this document.






Overall, I see where he's going with this and again I have no overall 


problems.  Some editorial things:






- I would like to see some discussion of the potential misuse of the 


Valid-For option in the Security Considerations section.  This could be a 


simple pointer to section 2.5 but I do feel that should be explicitly 


called out in the Security Considerations.






- I would like to see some discussion of the expected bounds of the 


Valid-For option value.  There is no guidance on what could or should be 


provided by the client, nor on what should be expected by the server. 


This just makes me a bit nervous.  :-)






- I couldn't find any reason why the components needed to be separated 


into two different options.  I'm sure that there is a good reason for it 


so having an explanation would help.  If it's in there, then I just missed 


it.




Best regards,
Chris