Sam Weiler informed me that this draft will be on telechat this week.
I did not receive any answer from the authors to my review of this document as
part of the security directorate review process, three weeks ago.
Please consider my comments as formal COMMENTS in the IESG evaluation.
And at the discretion of the AD: #2 and #4 could/should be seen as a DISCUSS.
Best regards, Tobias
[mailto:secdir-bounces(_at_)mit(_dot_)edu] On Behalf Of Tobias Gondrom
Sent: Thursday, June 28, 2007 3:33 PM
To: secdir(_at_)mit(_dot_)edu; iesg(_at_)ietf(_dot_)org
Cc: fluffy(_at_)cisco(_dot_)com; karim(_at_)athonet(_dot_)com;
Subject: [secdir] SecDir review of draft-ietf-sipping-v6-transition-05
I have reviewed this document as part of the security directorate's ongoing
effort to review all IETF documents being processed by the IESG. These
comments were written primarily for the benefit of the security area directors.
Document editors and WG chairs should treat these comments just like any other
last call comments.
My review has the following comments to the draft:
1. One spelling error:
s/domain instead of of using the/ domain instead of using the
2. section 4.3: I can not understand why this is a MAY and not at least a
SHOULD (or MUST):
Once the answerer has generated an answer following the ICE
procedures, both user agents MAY perform the connectivity checks
specified by ICE.
Would recommend to use at least SHOULD instead of MAY in this statement.
Maybe good would even be a MUST???
3. section 7 security consideration:
This section refers to sec considerations in other documents, stating that
those cover threats and countermeasures adequately, namely references , 
 is ok, but  and  are still work in progress, so it must be especially
taken care of by the WG chairs that both documents really fulfil this promise.
With  this looks like near to fulfilment, but  still is not complete in
its Security considerations section and must be improved in before LC to also
keep up with the promise made in this document.
4. section 7:
The section correctly informs about the risk that this draft
"they may make hosts more amenable to existing threats. "
And it provides an example afterwards. This is good.
But I would expect or at least suggest to also provide information about how
this risen risk should be countered.
Best regards, Tobias
Head of Open Text Security Team
Director, Product Security
Open Text Corporation
Phone: +49 (0) 89 4629-1816
Mobile: +49 (0) 173 5942987
Telefax: +49 (0) 89 4629-33-1816
Place of Incorporation / Sitz der Gesellschaft: Open Text GmbH, An der Trift
65, 63303 Dreieich, Germany | Phone: +49 (0) 6103 890 40 | Fax: +49 (0) 6103 89
04 11 | Register Court / Registergericht: Offenbach, Germany | Trade Register
Number / HRB: 33340 | VAT ID Number /USt-ID: DE 114 169 819 | Managing
Director / Geschäftsführer: John Shackleton
Ietf mailing list