I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and others should treat these comments just like any other comments. This document defines an extension to IMAP [RFC3501] to allow metadata (or annotations) to attached to and read from various objects. I see no serious problems with this draft, but do have some comments. I think the second consideration might better be stated first and worded not only to discuss arbitrary data, not just data of arbitrary size. Hence, an attacker can not only use this as an avenue for a denial of service attacks upon servers and upon the clients of any user, but can use the mechanism to mount a wider range of attacks upon servers and clients. I recommend this be called out even if this issue exists in the base protocol. There should be some discussion of any possible privacy concerns regarding any of the defined entries. Also, when you say "all users of the system", do you really mean all? Some implementors might take this as precluding use of access controls to restrict who sees what. It might be better to drop replace "all" with "authorized". A couple of non security related comments: I assume text/plain entries can span multiple lines. It would be good to include a multi-line example in the document. Also, an octet string example might be useful. It might be good for /public/admin to allow multiple URIs, with comments, to be provided. For instance, Admin <admin@xxxxxxxxxxx> 24-hour hotline <tel:18005550000> Issue Tracker <http://example.com/tracker> Regards, Kurt _______________________________________________ IETF mailing list IETF@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf