I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This document defines an extension for SMTP called RRVS, along with a new MAIL header field called Require-Recipient-Valid-Since, that allows senders to indicate to receivers the last date when the sender confirmed the ownership of the target mailbox with the intended recipient, with a goal of preventing sensitive mail from being delivered to the wrong party if the ownership of a mailbox has changed. The document is easy to understand and covers several information disclosure issues that might arise from abuse of the RRVS extension or matching header. I consider this document to be ready for publication with two small nits: - The suggested abuse countermeasures described in 14.1 should be reworded to indicate that operators SHOULD (or are RECOMMENDED to) implement countermeasures against RRVS probing. - The suggested use restrictions described in 14.2 should be reworded to indicate that operators SHOULD (or are RECOMMENDED to) accept any RRVS datetime as valid for accounts that have only had a single owner, even if the RRVS datetime predates the creation of the target account. -Shaun