Telechat Review of draft-ietf-nfsv4-multi-domain-fs-reqs-09
review-ietf-nfsv4-multi-domain-fs-reqs-09-secdir-telechat-housley-2016-09-01-00

I reviewed this document as part of the Security Directorate's ongoing
effort to review all IETF documents being processed by the IESG.  These
comments were written primarily for the benefit of the Security Area
Directors.  Document authors, document editors, and WG chairs should
treat these comments just like any other IETF Last Call comments.

Version reviewed: draft-ietf-nfsv4-multi-domain-fs-reqs-09


Summary: Ready

Thank you for rewriting the Abstract and Introduction.  They are much
improved.


Major Concerns:  None.


Minor Concerns:

The first paragraph in Section 3 includes: "The issues with multi-domain
deployments described in this document apply ...".  I do not think that
"issues" is the right word.  To be consistent with the title of the
document, it should be talking about guidance or deployment
alternatives.

In Section 6.2.1, it says:

   Multiple security services per NFSv4 Domain is allowed, and brings
   the issue of mapping multiple Kerberos 5 principal@REALMs to the same
   local ID.  Methods of achieving this are beyond the scope of this
   document.

I think it would be better to use "need" instead of "issue".


Nits:

Please change "internet" to "Internet" throughout the document.

In Section 2, "Stringified UID or GID" definition:  Please add "of" to
the last sentence, so that it reads: "See Section 5.9 of [RFC5661]."