Hi all, I re-reviewed the new doc version and did not see any changes related to my comments nor did I receive any direct replies from the authors. (note: this might well be due to some technical errors on the IETF mail server, which I think is fixed now.) As I am not sure whether my review email was received by the authors, here it is again. Best regards, Tobias as I am not sure whether these On 06/12/13 19:29, Tobias Gondrom wrote: Hi all, as it seems my previous review email was not relayed to the secdir and iesg mailing-lists. Here it is again. Best regards, Tobias On 25/11/13 23:50, Tobias Gondrom wrote: I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG.  These comments were written primarily for the benefit of the security area directors.  Document editors and WG chairs should treat these comments just like any other last call comments. The document updates RFC4627 and aims for Standards Track. It is about the JSON Data Interchange Format This document appears ready for publication. It is good that we make the effort to incorporate the existing errata into an updated RFC. Some small nits / thoughts (as comments, none of them a discuss): - section 1: you briefly explain strings, objects and arrays. Do you maybe also want to make a brief statement about the range of allowed numbers or point towards section 6? (though this is not absolutely necessary as you discuss the data types in more detail in section 4-7).  - section 12.  Security Considerations: second paragraph: the point about the "eval()" function is a bit shallow, it might be useful to discuss this a bit more and to spell out what would be best practice instead of "use that language's "eval()" function to parse JSON texts." as that "generally constitutes an unacceptable security risk" - section 1 or 2: it might be useful to spell out what exactly the most important changes are in comparison to 4627 and why. Or mention that this would be discussed in detail in Appendix A. Best regards, Tobias