I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This document describes how authority over telephone numbers and related identifiers can be delegated from a parent certificate to a subordinate certificate. I am not versed in STIR but have a few questions and comments: 1) Section 4 states "STIR delegate certificates are certificates containing a TNAuthList object that have been signed with the private key of a parent certificate that itself contains a TNAuthList object." Section 4.1 references the use of "by-reference rather than by value, where a URL in the certificate points to a secure, dynamically-updated list of the telephone numbers in the scope of authority of a certificate". If the statement requiring inclusion of the TNAuthList extension is intended to preclude the AIA-based by-reference approach, this should be clearly stated. If this is not the intent, then the statement should be generalized to allow for either mechanism. 2) Assuming by-reference is intended, section 4.1 should include some guidance re: when the encompassing check must be performed. The current language states the check "might be performed at the time the delegate certificate is issued, or at the time that a verification service receives an inbound call, or potentially both." 3) Some discussion of handling certification paths with both TNAuthList extensions and AIA-based by-reference objects is likely needed. 4) Why is the authority token draft in the informative section instead of normative? ACME itself is in the normative and the importance of this draft to the setting of basic constraints may justify listing as normative and citing it in the security considerations section. -- last-call mailing list last-call@xxxxxxxx https://www.ietf.org/mailman/listinfo/last-call
