Hi Nancy, Thanks for the review i have addressed the nits and included explicit MUSTs as referenced. I will release an 08 version soon pending any other reviews. Thanks! -Chris > On Mar 25, 2021, at 6:22 PM, Nancy Cam-Winget via Datatracker <noreply@xxxxxxxx> wrote: > > Reviewer: Nancy Cam-Winget > Review result: Has Nits > > I have reviewed this document as part of the security directorate's > ongoing effort to review all IETF documents being processed by the > IESG. These comments were written primarily for the benefit of the > security area directors. Document editors and WG chairs should treat > these comments just like any other last call comments. > > This document describes the extensions to ACME to allow for a third party Token > Authority also act as the authority and authorization of entities to control a > resource; the use case and motivating scenario described in the draft is for a > telephone authority to be the authority for creating CA types of certificates > for (STIR) delegation. The document assumes full knowledge of a set of drafts > and is straightforward. I only have a couple of nits but otherwise I think it > is ready. > > NITs: > Section 5.2: the "exp" claim is mute on SHOULD vs MUST, it seems that you would > want to have such a claim so minimally a SHOULD? > > Section 5.3: is this optional, may or must? > > Section 5.4: personal nit, the section should specify this claim to be a MUST, > it is implicitly stated but would prefer it to be explicit. > > Section 6: > -I presume that "verify the atc field" is actually verifying that the > TNAuthList token is valid? > > > -- last-call mailing list last-call@xxxxxxxx https://www.ietf.org/mailman/listinfo/last-call
