Draft: draft-ietf-rohc-sigcomp-torture-tests-03.txt draft-ietf-rohc-sigcomp-user-guide-04.txt Reviewer: Black_David@emc.com Review Date: Thursday 12/15/2005 1:49 PM CST Telechat Date: 12/15/2005 Summary: These drafts are basically ready for publication, but have nits that should be fixed before publication. The drafts are well-written, and clear, plus I'm late in getting to this review, so I'll limit myself to one nit: The Security Considerations section of the torture tests draft understates the security value of the draft. The torture tests include tests for a significant number of "boundary and error cases" for execution of UDVM bytecode. A common attack vector against a virtual machine like UDVM is to find a boundary or error case where the bytecode can escape containment by the virtual machine, enabling the bytecode to mount an attack on the internals of the virtual machine implementation. Ensuring that a UDVM implementation executes this set of torture tests correctly should close off a significant number of possible opportunities for containment escape, contributing to the security of implementations. It would be good to add a few sentences about this to the Security Considerations section, but it is not necessary to do so. The user guide draft looks fine on a quick read.