Hi Yoshifumi, Thank You for the review! Please see inline. >Summary: This document is almost ready for publication, but I think it will be better to clarify the following points. > >1: If the other endpoints is on a TCP connection, It seems to me that it can look downgrading the security level of the connection. > If this is the case, do we need some guidance here? I assume you are talking about the gateway. It is true that "legacy" MSRP allows TCP transport. RFC 4975 describe the security issues associated with that. I suggest to add the following text to the Security Considerations. OLD: "MSRP traffic over data channels is secured, including confidentiality, integrity and source authentication, as specified by [I-D.ietf-rtcweb-data-channel]." NEW: "MSRP traffic over data channels is secured, including confidentiality, integrity and source authentication, as specified by [I-D.ietf-rtcweb-data-channel]. However, [RFC4975] allows transport of MSRP traffic over non-secured TCP connections. In a gateway scenario, unless the operator mandates usage of TLS, the MSRP traffic will not be secured all the way between the MSRP endpoints. [RFC4975] describes the security considerations associated with non-secured MSRP traffic." --- > 2: 'If the non-data channel endpoint does not support MSRP CEMA, transport level interworking mode is not possible, > it needs to act as an MSRP B2BUA.' > -> This may sound like it falls back to B2BUA when CEMA is not available. > But, I guess there might be a case where users don't want fallback. I don't think the users really care. CEMA is a transport connection establishment feature. Even with legacy MSRP, there could be a fallback if one of the endpoints don't support CEMA, but users are not informed about whether CEMA is used or not. --- > 3: As the doc mentions the use of B2BUA, it might be useful to refer security consideration in RFC7092 in Section 9. I assume you mean Section 6? I can add an informative reference to RFC7092: OLD: "In one model, the gateway performs as an MSRP Back-to-Back User Agent (B2BUA) to interwork all the procedures as necessary between the endpoints. No further specification is needed for this model." NEW: "In one model, the gateway performs as an MSRP Back-to-Back User Agent (B2BUA) [RFC7092] to interwork all the procedures as necessary between the endpoints. No further specification is needed for this model." --- Regards, Christer -- last-call mailing list last-call@xxxxxxxx https://www.ietf.org/mailman/listinfo/last-call
