I have reviewed this document as part of the security directorate's

ongoing effort to review all IETF documents being processed by the

IESG.  Document editors and WG chairs should treat these comments just

like any other last call comments.

Summary: Document is ready.

Some nits:

In section 2.6:

   Conversion to Unicode as well as normalization SHOULD be performed by
   edge systems such as laptops that take "local" text as input.  These
   edge systems are best suited to determine the users intent, and can
   best convert from "local" text to a normalized form.

I think it’s weird to use “laptop” here, as the luggability plays no part. “PC” would be better. In fact, I don’t think mobile phones are any different in this respect.

The same section says that Edge systems should normalize text, so AAA systems should not. It then goes on to say that today edge systems don’t always normalize text, so the AAA systems should. That’s a strange way to move forward, unless we’re sure that double-normalization does not cause problems.

The security considerations text is copied from RFC 4282. It still seems sufficient. This is remarkable considering that privacy is a big part of it, and privacy was not a hot topic on everyone’s mind in 2005 when RFC 4282 was written.

Yoav