Draft:  draft-ietf-sipping-uri-services-05.txt 
Reviewer: Joel M. Halpern [joel@stevecrocker.com]
Review Date: Saturday 2/18/2006 3:35 PM CST
IETF LC Date: 03 March 2006

Summary: This document is almost ready for publication as a proposed standard.

Requirement GEN 4 requires that servers authenticate the invoker.  If 
this allows null authentication, it is a meaningless 
requirement.  If, as I believe is intended, this requires the use of 
authentication technology, then this is a very strong 
requirement.  It means that even a URI server within a corporation 
serving only corporate destinations, can not waive the 
authentication.  This is much stronger than our usual "security must 
be mandatory to implement, but may be optional to use."  The actual 
test in the security section refers to unauthorized users.  That 
appears to me to be broader, and to allow for the case where 
authorization is implicit rather than explicit.