Hi, I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. The document seems to have limited scope. It defines an extension via which a user can ask another user to send a request to a third party. The opening statement in the document does not convince me this is a generically useful extension comparing with leaving such facility application specific. The text does not tell me what motivates the second user to comply with the multiple-refer extension, or why the first user does not want to send the command directly given it knows the list of recipients. My guess is that the second user either has more information or have more resources (that the first user would believe) but the document does not explain that. I am rather uncomfortable with the security aspects of this extension. The security considerations section in the current document looks like boilerplate and I suspect there are plenty of security issues to consider. For example, it would be helpful if it can go though all possible SIP commands that could be used in the multiple-refer method and illustrate what kinds of authorization should be checked, and discuss the implications for the second user if the later chooses to comply. Thanks, --larry _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf