I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. >From a security POV this document is mostly ready: it includes as common requirements for all use-cases: F11 It must be possible to protect streams and data from wiretapping [RFC2804]. and F13 The browser must encrypt, authenticate and integrity protect media and data on a per-packet basis, and must drop incoming media and data packets that fail the per-packet integrity check. In addition, the browser must support a mechanism for cryptographically binding media and data security keys to the user identity (see R-ID-BINDING in [RFC5479]). which are nice, _but_ it seems to me that, given that metadata interception is now the norm, that there should be an additional requirement that identity data should not be available to attackers (i.e. that a GPA or a MitM should not be able to determine who the end-points are from data transmitted in the stream). I note that RFC 5479 also does not appear to include this requirement. Also, F11 is perhaps a little weak in that it appears to only require protection from a GPA, not from a MitM. RFC 5479 is a little unclear on this point (it discusses active attackers but doesn't specifically say protocols should defend against them). -- Certificate Transparency is hiring! Let me know if you're interested.