I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG. These comments were written primarily for the benefit of the
security area directors. Document editors and WG chairs should treat
these comments just like any other last call comments.

CEMA is an SDP/MSRP extension that enables the "anchoring" of MSRP
traffic through middleboxes that do not act as MITMs.  This is a good
thing if such anchoring is needed at all.

The security considerations seems complete enough to me, and I believe
it matches the media anchoring mechanism described in section 4,
though I'm not sufficiently familiar with MSRP to say so for certain.
In general it seems that CEMA improves security here (by allowing
proxies to anchor media without having to act as MITMs) without making
it worse in any way: in particular security generally depends on
signaling security in SIP.

Nico
--