I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This document revises rfc3388 and the changes seem quite small: ---------------------------------------------------------------------- 10. Changes from RFC 3388 The grouping mechanism is now defined as an extendible framework. Earlier, [RFC3388] used to discourage extensions to this mechanism in favor of using new session description protocols. Given a semantics value, [RFC3388] used to restrict "m" line identifiers to only appear in a single group using that semantics. That restriction has been lifted. From conversations with implementers, it seems that the lifting of this restriction is unlikely to cause backwards compatibility problems. ---------------------------------------------------------------------- I do not see that those changes would introduce any new security considerations that the current Security Considerations section does not already cover. Of course as this is now extendible framework the new semantics might change this situation in future. The current Security Considerations section does already include note that using FID semantics the attacker who is able to modify group parameters can send a copy of the media to other destinations, but it also points out that integerity mechanims can be used to prevent this attack and that in "SIP S/MIME and TLS can be used to protect session description exchanges in an end-to-end and a hop-by-hop fashion respectively." -- kivinen at iki.fi