I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors.  Document editors and WG chairs should treat these comments just like any other last call comments. Note:  I recently submitted a review of draft-hollenbeck-rfc4933bis-02.  That was a mistake on my part; that was not the document I was supposed to review. Sandy Murphy is down for reviewing that one.  I am supposed to review this one.  This document is the update of the based specification of  EPP, and so is related to rfc4933bis-02. I've also had some discussion with Sandy about the issue she raised with respect to draft-hollenbeck-rfc4933bis-02.  That is actually what I first thought it was:  EPP only does a weak form of authentication. So it depends on strong authentication done at the transport level or application level.  However there is nothing in the document that I can see that says that the EPP ID must match the transport ID.  Thus, if it is relying on the authentication being done at the transport level, there appears to be nothing to prevent the transport level channel being replaced by another one at some point.  I am not enough of an expert on EPP to make a definite recommendation as to how or whether this needs to be addressed, but I feel that this is something that needs to be brought to the attention of the IESG and discussed in the next telechat.   If the issue does need to be addressed, rfc4930bis is the place where it should be handled.  Catherine Meadows Naval Research Laboratory Code 5543 4555 Overlook Ave., S.W. Washington DC, 20375 phone: 202-767-3490 fax: 202-404-7942 email:  catherine.meadows at nrl.navy.mil