Document: draft-altman-telnet-starttls-02.txt Title: Telnet START-TLS Option Reviewer: Vijay K. Gurbani Review Date: January 8, 2007 IETF LC Date: January 15, 2007 This draft is basically ready for publication, but has nits that should be fixed before publication. This draft proposes the use of TLS between a telnet server and a telnet client in order to ensure privacy and integrity of telnet sessions. Nits and some discussion points follow: 0) The contents do not have page numbers. 0.1) The title of Section 4.1 in the ToC should be: OLD: 4.1 Authentication of the Client by the Server NEW: 4.1 Authentication of the Server by the Client and, the title of Section 4.2 in the ToC should be: OLD: 4.2 Authentication of the Server by the Client NEW: 4.2 Authentication of the Client by the Server That way, the ToC matches the contents of the text, which has the correct headings. 1) In S1, second paragraph, s/allowed to access to that/allowed access to that 2) I think that the discussion in the Introduction section will benefit from a figure; something like this: Existing trust relationship | | | TLS | | Protected | +---+ \|/ +---+ | +---+ \|/ +---+ +---+|-------| | \|/ | |------+----+| | |+ | |==========| | | |+ +---+ +---+ +---+ +----+ Client End Telnet Telnet Server End Systems Client Server Systems 3) In S5.1, it is stated at the end of the first paragraph that, "The verification SHOULD then continue with a check to see if the fully qualified host name which the client connected to appears anywhere in the server's subject (DN)." What may throw off the uninitiated reader here is the use of the phrase "fully qualified host name" above. To be unambiguous let me state what I think you mean by the phrase above. I believe you mean that if a client uses a host name of "telnet.example.com" to query DNS, and DNS returned "host1.example.com" in response to a SRV query, then the connection itself is established with the host host1.example.com. However, the certificate presented by host1.example.com must assert the identity "telnet.example.com", since this was the DNS query string. If so, consider replacing "fully qualified host name" in the paragraph with the phrase "DNS query string" or equivalent.