Draft:  draft-ietf-tls-rfc2246-bis-12
Reviewer: Lakshminath Dondeti [ldondeti@qualcomm.com]
Date: Wednesday 6/8/2005 5:27 PM CST

Summary: The I-D is generally ready for publication, but I do have a 
concern

I am not a fan of RFCs saying that "this entire document is about 
security considerations or something to that effect."  It is worthwhile 
to still summarize the security properties covered in the document, and 
also list some potential threats that are not covered.

I am also not a fan of the section on security considerations tucked 
away in an obscure place, for instance after appendices as in 
tls-rfc2246bis.  What's more it is not even listed in the ToC.  What's 
also interesting is that this I-D is co-authored by Eric Rescorla, who 
wrote RFC3522, on how to write Security Considerations.  Now I respect 
Eric's contributions and his expertise in the security area very much.  
Turns out RFC 3522 also puts its Security Considerations after 
References, which is odd too.

So, I am going to -- when I find time -- take this up with him in a 
separate thread.

Brian, I am not sure whether you should make this an issue at this stage 
on this RFC.  TLS is a widely-read spec, so considering there might be a 
lot of folks waiting for this to be an RFC, it probably does not make 
sense to further delay this spec.  OTOH, because it is widely read, it 
probably should be written better and must have a meaningful security 
considerations section (this is just a matter or reorganizing some text 
in the appendices into the section titled "Security Considerations" and 
moving that section into the body of the I-D/RFC.