I have been selected as the General Area Review Team (Gen-ART) reviewer
for this draft (for background on Gen-ART, please see
http://www.alvestrand.no/ietf/gen/art/gen-art-FAQ.html).
Please resolve these comments along with any other Last Call comments
you may receive.

Document: draft-ietf-vcarddav-carddav-09.txt
Reviewer: Brian Carpenter
Review Date: 2008-09-21
IETF LC End Date: 2009-09-30
IESG Telechat date: (if known)

Summary:   Almost ready
--------

Comment:   
--------
This is a complex document in an area where my skills are zero. I have to 
take most of the details on trust, but the draft appears very complete and
is well written.

There's no writeup in the tracker comment log.

Major issues:
-------------

I would have liked to see a bit more emphasis on privacy issues in the Security
Considerations. In particular, shouldn't there be a fairly strong SHOULD obligation
on clients to implement TLS and use it by default? The way the text is written,
a client running with no TLS and no HTTP Basic authentication appears to be allowed.

On the same lines,

   Clients MAY choose to warn users when they create address data in a
   public address book, copy or move address data into public address
   books, or change access privileges in such a way as to expose address
   data to unauthenticated users.

Why isn't that a SHOULD?


Minor issues: None. Well, OK, idspell found "resposectively".
-------------