Last Call Review of draft-ietf-sipping-service-identification-
review-ietf-sipping-service-identification-secdir-lc-salowey-2009-08-06-00

I have reviewed this document as part of the security directorate's 
ongoing effort to review all IETF documents being processed by the 
IESG.  These comments were written primarily for the benefit of the 
security area directors.  Document editors and WG chairs should treat 
these comments just like any other last call comments.

This document describes the reason why implicit service identification
is preferable of explicit service identification.  From a security point
of view I agree with this since explicit identification introduces a
mapping layer which can be a place where security vulnerabilities can
creep in.  I thought the security considerations were a bit light since
implicit identification still requires the participants to validate,
perhaps authenticate and authorize,  the signaling information that they
are using to identify the service.   The secure validation of SIP
signaling should be covered in other documents, perhaps a reference to
their security consideration should be included.  For example, the
document mentions that the URI can be a critical piece in determining
the service identity:  what document describes how to authenticate and
authorize this URI down to the level of granularity needed to
differentiate service identity?   I don't think it is necessary to
provide links to means for validating every possible piece of signaling
information, but links to the main mechanisms used in across different
scenarios would be good.