Last Call Review of draft-ietf-abfab-usecases-
review-ietf-abfab-usecases-genart-lc-krishnan-2012-08-14-00

Request Review of draft-ietf-abfab-usecases
Requested rev. no specific revision (document currently at 05)
Type Last Call Review
Team General Area Review Team (Gen-ART) (genart)
Deadline 2012-08-06
Requested 2012-07-26
Draft last updated 2012-08-14
Completed reviews Secdir Last Call review of -?? by Brian Weis
Genart Last Call review of -?? by Suresh Krishnan
Assignment Reviewer Suresh Krishnan
State Completed
Review review-ietf-abfab-usecases-genart-lc-krishnan-2012-08-14
Review result Ready
Review completed: 2012-08-14

Review
review-ietf-abfab-usecases-genart-lc-krishnan-2012-08-14

I am the assigned Gen-ART reviewer for
draft-ietf-abfab-usecases-03.txt

For background on Gen-ART, please see the FAQ at
<

http://www.alvestrand.no/ietf/gen/art/gen-art-FAQ.html

>.

Please resolve these comments along with any other Last Call comments
you may receive.

Summary: This draft is ready for publication as an Informational RFC,
but I do have some minor comments that you may like to address.

Minor
=====

* This document references obsolete versions of IMAP and SMTP. Is there
any specific reason for referring to the older versions? If not, I
recommend replacing references to

-> RFC2060 with RFC3501
-> RFC2821 with RFC5321

* Section 3.7

The following text is a bit out of date.

"At present, authentication to these applications will be typically
   configured manually by the user on the device (or on a different
   device connected to that device) but inputting their (usually pre-
   provisioned out-of-band) credentials for that application - one per
   application."

With systems such as IMS that have gotten deployed, at least telco
operator hosted applications can use some form of federated identity
already. I do not have strong feelings about this but I suggest leaving
out operator hosted applications from this characterization.

* Section 3.9

I am not sure I understand the following text

"The utility company may wish to
   grant access only to authorized devices; for example, a consortium of
   utility companies and device manufacturers may certify devices to
   connect to power networks."

What does the word certify mean here? I have always understood it to
mean testing compliance to certain requirements rather than verification
of identity. Can you please clarify?

Thanks
Suresh