I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. I reviewed earlier versions of this I-D in Feburary 2009 and in December 2010. This revision has more explicit text in the security considerations, which essentially states that the clarifications on offer/answer exchanges do not add any new security issues. It took me some time to parse the sentences, perhaps a simpler wording could have been used (e.g. s/exclude from use/exclude). I appreciate the more explicit text and the concrete pointers to the relevant RFCs. However, these references raise a procedural question. It seems all these relevant specifications are on the standards track while this clarification, which tries to handle situations that can lead to "failed or degraded calls", is submitted as an Informational document. Should this not be standards track, formerly updating the relevant RFCs? I see in the IESG writeup that this has been discussed before, the proposed move to publish this as Informational still sounds surprising to me as an outsider. If there is consensus to resolve the ambiguities as described in the document, then why not via a standards-track action? Or is the idea that this resolution simply can be ignored or that something very different might be invented? That latter would more speak for Experimental then. Getting back to security considerations, if the intention is not to require implementations to follow the disambiguation described in the document (that is not moving to standards-track), can malware exploit the fact that the underlying RFCs allow for ambiguities to cause "failed or degraded calls"? /js -- Juergen Schoenwaelder Jacobs University Bremen gGmbH Phone: +49 421 200 3587 Campus Ring 1, 28759 Bremen, Germany Fax: +49 421 200 3103 < http://www.jacobs-university.de/ >