Document: draft-iesg-tcpmd5app-00
Reviewer: Spencer Dawkins
Date: July 17, 2004

This document is short, well-organized, and clearly written. I wish
that there was a document (I'm thinking a BCP document) that
institutionalized the peculiar deployment patterns for BGP4 described
in Section 4, but this is the kind of thing people say when they don't
have to write said BCP documents.

This document reminds me of "the emperor's new clothes", because if
the BGP4 infrastructure gets zorched by an attack on MD5 that we've
been expecting for ten years, we'll be looking pretty foolish. But the
document does not make this attack more likely, does call attention to
the possibility of the attack, does describe what an operator can do
to minimize exposure to the attack, and does describe what network
operators are doing, anyway.

If that's reasonable, this is is a reasonable basis on which to build
the salient part of the Internet infrastructure. I'd say, ship it.

Modulo RFC 2026 statements that should be 3667-3668, whatever we're
quoting this week, of course...