Last Call Review of draft-ietf-sipcore-subnot-etags-
I've reviewed this draft for the security directorate. My review was
reasonably light although I believe was sufficient.
This draft defines a mechanism so that subscribers can avoid a
notification message being generated when they already know the
contents of that notification.
The security considerations section claims that this mechanism does
not change the security properties of the protocol: it is just an
optimization. I'm fine with the document as it stands. It's not
inherently true that an optimization of this type doesn't change the
security properties. For example, if an attacker could modify a
subscribe request and suppress a notification, that might change the
However, as far as I can tell, this particular mechanism does not make
any significant changes to the security properties.