Draft:  draft-ietf-sipping-policy-package-01
Reviewer: Shida Schubert
Review Date: 28 Aug 2006
Review Deadline: 25 Aug 2006
Status: Initial review

Summary: This draft is on the right track but has open issues, 
described in the review.

I only have some technical concerns:

Section 3.6/3.9
 May be it belongs in the framework document but there is 
no normative behavior in neither of documents for 
UAC or UAS when policy server either returns an error 
upon Subscription or when Notification does not arrive 
within reasonable time frame. 

Section 3.7
 -1st paragraph, 2nd sentence: Because remote policy server 
may be contacted, the techniques listed in the draft might 
not suffice the authentication/authorization. Mentioning 
of P-A-ID/AIB/SIP-Identity as a potential way to 
authenticate a client(subscriber) may be good.

Section 4
 All the security consideration focuses on UA but 
with policy server possibly providing policy information 
of the domain to an outside entity, there is a security 
consideration surrounding the domain's security as well.

 If no proper security is set for providing policy information 
to an entity outside of the domain, malicious user can gain 
access on potential attacking point such as IP/port to use 
etc. Currently all you need is policy server's URI to gain 
access to this, as there is no correlation between the request 
that caused 488 and the SUBSCRIBE request.