From what I understand of Gibson's current implementation, his stack would be vulnerable to "token" replay:
Someone could establish a legitimate connection from a public computer (ie: from a different IP), capture the SISN, the reuse that SISN on a fake packet (setting the packet's client addy as the one from the public computer used)...

Even if the key is changed every reboot, web servers are meant to be up for long periodes of time, leaving a good window of opportunity... I guess someone could also automate this process using trojaned computers and exchanging IPs & SISN between them...

*disclaimer, I might be wrong but this is what I'm seeing...

On the editorial side, what bothers me with Gibson is his quick bold (in both ways) absolute statements, declaring things perfect before peer review... Just have a look at the last (third) page, he had to appologize because he was too quick with his words... And also of course the formatting of his papers... Usually in the IT community, you *suggest* new ideas and standards in a emotion free paper that states only facts which is easy to (peer) review... Gibson on the other hand rolls out the marching band and loud speaker vans to announce to the world that is great (sorry for the emotion, but that shows my point).

Ammo