Document: draft-ietf-trade-voucher-vtsapi-06.txt Review: John Loughney Date: 3 februari 2005 Lumping these two together: Voucher Trading System Application Programming Interface (VTS-API) 1) I share the same issue as other IESG members of the Security Considerations. Having security as an implementation detail is not sufficient: Security is very important for trading vouchers. VTS implementations are responsible for preventing illegal acts upon vouchers as described in [VTS], as well as preventing malicious accesses from invalid users and fake server attacks including man-in-the-middle attacks. The means to achieve the above requirements are not specified in this document since it depends on VTS implementation, ... I think this document needs to require mandatory to implement security and explain why this is needed. 2) More security worries: This document assumes that the VTS plug-in is trusted by its user. The caller application of a VTS should authenticate the VTS plug-in and bind it securely using the VTS Provider information specified in the Voucher Component. This document, however, does not specify any application authentication scheme and it is assumed to be specified by other related standards. Until various VTS systems are deployed, it is enough to manually check and install VTS plug-ins like other download applications. I think we need to have stronger language than this. Users will download anything, secure or not. What is to prevent someone from downloading a bogus VTS plug-in? Much tighter security is required here. I'd file a discuss for this draft.