I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This document is going for Informational status, not Standards Track, and yet defines a protocol layered over HTTP, using normative language. I have some concern about that -- we know how much attention is often NOT paid to the distinction between Informational and Standards Track. Further, HTTP seems particularly ill-suited to transporting this protocol... this seems another in the long line of "use HTTP for everything" cases, which BCP 56 has tried (unsuccessfully) to stave off. The "callbacks", in particular, are worrisome -- the payload has to contain all the state information, the system doing the callback has to have the correct addresses of the system that originally contacted it, and the whole thing is vulnerable to asymmetry problems (firewalls, NAT, multi-homing, and so on; see http://tools.ietf.org/id/draft-iab-ip-model-evolution-01.txt and Dave Thaler's technical plenary presentation from IETF 73, http://www.ietf.org/proceedings/73/plenaryw.html ). At least it's not doing it over port 80. :-) -- Barry Leiba