I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. Metalink provides meta information about resources such as locations where copies can be found or checksums. This specification defines how Metalink data can be transported as HTTP header lines. The document is generally easy to follow. The security considerations seem to be short but appropriate. That said, it seems the text in section 3 is not final in the sense that there might still be an open issue, although there is also text that says that it is up to the server to decide how many Link headers to send. The fix might be as simple as removing the following text: [[Some organizations have many mirrors. Only send a few mirrors, or only use the Link header fields if Want-Digest is used?]] But then Appendix C lists this again as an open issue, together with a question whether partial hashes should be carried in HTTP as well. Perhaps the answer is "no" and this is just an old open issue item - I can't judge. Editorial nits: - p1: s/althought/although/ - p7: s/fieldss/fields/ - p10: s/fieldss/fields/ - p11: s/fieldss/fields/ - p11: s/fieldss/fields/ - p11: s/syncronisation/synchronisation - p12: s/cyptographic/cryptographic - p13: s/fieldss/fields/ - p15: s/reponse/response/ /js -- Juergen Schoenwaelder Jacobs University Bremen gGmbH Phone: +49 421 200 3587 Campus Ring 1, 28759 Bremen, Germany Fax: +49 421 200 3103 < http://www.jacobs-university.de/ >