Security review of File Transfer Protocol HOST Command draft-hethmon-mcmurray-ftp-hosts-11 Do not be alarmed. I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This protocol modification adds a command ("HOST") by which the client designates a virtual host. The server will then use an authentication method suitable for that host, much as though a separate FTP server were running for each virtual host. There is a small area of concern surrounding the information contained in the "HOST" command. If the name of the virtual host is sensitive information, then clients should protect it by using encryption when first connecting to the server. Although the document anticipates host names as being publicly available DNS names, that is not necessary, and some organizations will probably use private names. Hilarie