Last Call Review of draft-ietf-6man-rfc6874bis-02
review-ietf-6man-rfc6874bis-02-secdir-lc-johansson-2022-09-27-00

I have reviewed this document as part of the security directorate's ongoing effort 
to review all IETF documents being processed by the IESG.  These comments were 
written primarily for the benefit of the security area directors.  Document editors 
and WG chairs should treat these comments just like any other last call comments.

In summary: one issue

Overall the document seems ok and well written to me but for one thing: the lack of 
normative language in section 4. The explanation that this is because of a lack of 
clear behavioral distinction between browser input boxes and URI parsers seems
a bit weak to me. I don't understand why it isn't desirable to write down normative 
language for the behavior of one of these cases (URI parsers) even if the other (input 
boxes) can't be specified. 

This phrasing caught my eye: "It is desirable for all URI parsers to recognise a zone 
identifier according to the syntax defined in Section 3." Since the bulk of the I-D
is in section 3, why not make this normative language along the lines of "URI parsers
implementing this specification MUST recognize zone identifiers according to the 
syntax in section 3."? The fact that not all browsers choose to do so is a separate 
issue.

Also this: "It is desirable for all URI parsers to recognise a zone identifier according 
to the syntax defined in Section 3.". We already know this is not the case but isn't it
better to have a document that clearly defines the behavior for those browsers who 
choose to implement this I-D?