Russ, > Is an IESG note appropriate? Something simple, like: > If follow-on work is done in this area, a more robust integrity mechanism, > such as HMAC-SHA1 [Ref] ought to be employed. > Thoughts? This would work. I checked with Dave, he's fine. I guess we can just put this in the text with an rfc-ed note? Alex