Hi. I've reviewed draft-ietf-avt-srtp-not-mandatory for the security directorate. The security ADs should read this draft very carefully, although I think that's obvious from the filename. However, after doing a careful reading of my own, I didn't find any problems. I might wish for a stronger statement in section 5 that particular profiles of RTP need to specify a mandatory to implement security mechanism. However, this is not a BCP, and I can understand why you wouldn't put that statement in an informational document. Also, it's a bit tricky to get that statement right, considering for example the implications of a profile of RTP that might of itself be a framework.