I re-reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG.   I compared the -08 and -09 version of this document, using the IETF diff tool. The authors responded to my concern that there were many instances of what appeared to be normative text in Sections 3 and 4, yet almost all instances of the words “must” and “should” were lowercase. They removed all of the words in question. I'm surprised by this outcome, but if the WG chairs and ADs believe the resulting text is correct, with NO normative terms, so be it. The authors also revised the Security Considerations (Section 7) text, addressing all of my comments.