(with corrected subject line) Security review of The IETF-ISOC Relationship draft-ietf-iasa2-rfc2031bis-05 Do not be alarmed. I generated this review of this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written with the intent of improving security requirements and considerations in IETF drafts. Comments not addressed in last call may be included in AD reviews during the IESG review. Document editors and WG chairs should treat these comments just like any other last call comments. Knitz. This is an overview of the ways the IETF and the ISOC are entwined with structural and legal relationships. I believe that changes to the RFC have been required because a new entity, the IETF LLC, is being formed. That slightly changes the way the IETF and ISOC interrelate. Does this affect the security of the Internet (something that might be regarded as largely a mythical concept)? The only problem that comes to mind is that the several organizations might at some future time have philosophical differences that are so deep that the ability of the IETF to publish RFCs would be disrupted. The organization that holds IP is different from the organization that has the financial oversight, and neither is the IP generator, so things might come apart in some unforeseeable future. I can see that the way the boards are structured largely mitigates such worries. Perhaps that is the best that can be done. An important document, the "operating agreement" (Limited Liability Company Agreement of IETF Administration LLC", August 2018), is not available via the reference section of the draft in question. I was able to use Internet search to find a copy. Section 6, "Legal Relationship with ISOC" mentions both the IETF LLC and the IETF Trust. It would greatly help to use subheadings to clarify that these are two separate legal entities. This sentence is a grammatical trainwreck: "It was established by the ISOC/IETF LLC Agreement [OpAgreement] on August 27, 2018, and governs the relationship between the IETF LLC and ISOC." The pronoun "it" refers to the IETF LLC. The second clause has no subject, but if it did, the subject would be "the operating agreement". We also see that "The creation of the IETF LLC has changed the way that the IETF Trust's trustees are selected but did not change the purpose or operation of the Trust. One of the IETF Trust's trustees is appointed by the ISOC's board of trustees." How did it change the way the trustees are selected? Were there previously more or fewer than one trustee appointed by ISOC? Or was there some other change? This sentence, which has probably been there for some time, "ISOC has agreed to provide some funding support for the IETF (ISOC has historically provided the IETF with significant financial support)" sounds odd. What is the different between "some" and "significant"? Should it be "insignifant" and "significant"? "Not much" and "a lot"? Is the differentiation even meaningful now? When did ISOC last affirm its agreement? Does it matter? RFCs generally use American spelling, so at least the uncapitalized uses of "programme" should be changed to "program" in ISOC also supports the IETF standards process more indirectly (e.g., by promoting it in relevant communities) through several programmes. For example, ISOC's Policymakers Programme to the IETF (usually referred to simply as ISOC's policy fellows programme)