Document: draft-ietf-mmusic-securityprecondition-03.txt Reviewer: David L. Black Review Date: 9 December 2006 IESG Telechat date: 14 December 2006 Summary: This draft is basically ready for publication, but has nits that should be fixed before publication. Comments: I checked the -03 vs. -02 diff and the major issues have been resolved. In the new security considerations section, I didn't see any mention of downgrade attacks (man-in-the-middle removes secure alternative from negotiation, causing use of non-secure streams when secure streams would have been used in his absence) - this mention is ok to omit, as the important point that the offerer's security policy allows non-secure streams in this situation has been added. Similarly, the security considerations section doesn't say how to avoid the "malicious malicious media stream packets until the answer (indicating the chosen secure alternative) is received" vulnerability, but it's reasonably clear from context that the only obvious way to avoid it is to not offer the non-secure alternative. I saw this typo in the new text in Section 3: At that moment, we furthermore require that ser agents MUST start ^^^ That's an editorial nit that the RFC Editor will have no difficulty in correcting.