[secdir] Review of draft-levin-mmusic-xml-media-control-12

Hello,

I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG.  These comments were written primarily for the benefit of the security area directors.  Document editors and WG chairs should treat these comments just like any other last call comments.

Overall as an informational ID I believe the document is well written and it should be published as soon as possible.

I have the following non-blocking COMMENTS:

1. Section 2, inconsistent use of RFC2119 language, "shipping products and new products SHALL use ...", the preceding sentence seems to suggest it is a "SHOULD" not a "SHALL".

 2. Section 4, the inconsistently spelling of "in time" vs "in-time". Not being an expert in this field, it is not clear to me what the parenthesis actually adds.

 3. Section 4, (what I consider) incorrect use of RFC2119 language, "... MUST be validated by ...", I do not know what does the use of "MUST" imply here. Suggestion: it should be sufficient to drop the "MUST" keyword here, try "is validated ...".

4. Section 5, "the UAC that sent...", please expand "UAC" on first use.

5. section 7, unclear statement, "Note that this primitive is supported by all known implementations", it is not clear to me which primitive it refers to. Suggestion: quote a reference for the primitive in question.

6. section 10, overall this section could benefit from more details or references. For example, it is not clear how TLS can be applied to secure the signalling path. Also the last sentence seems to contradict with the rest of this section. The section in RFC2976 only explicitly mentions confidentiality. Suggestion: it might be sufficient to say the security considerations in RFC2976 apply here.

Best regards,

--larry