Hi Magnus, Thank you for the updated SecDir review! Please find one response below. Kent > On Feb 4, 2024, at 3:28 PM, Magnus Nyström via Datatracker <noreply@xxxxxxxx> wrote: > > Reviewer: Magnus Nyström > Review result: Has Nits > > I have reviewed this document as part of the IETF SecDir's effort to review all > I-Ds before publication. These comments were written primarily for the benefit > of the security area directors. Document editors and WG chairs should treat > these comments just like any other comments. > > This is my second review of this document; the first was done on version -18 > (or -19). The document is much improved in clarity, and I particularly liked > the inclusion of a Master Key option to handle KEKs. Thanks. > My remaining comments are: > > - The "certificate" node in the YANG module seems under-specified. It isn't > clear to me what "name" refers to, and normally you're able to look up a > certifiate by using the combination of Issuer (distinguished) name and serial > number, for example. Some more info here seems warranted? - Section 4.1 talks > about "possessing" a key - it is not clear what "possess" means. In practice, > access to the key such that it can be used for its intended purpose (even > without being able to know the actual key value) should be sufficient. This comment was raised by others as well (and is being tracked in another thread), but the gist of it is that the model is purposely not trying to assert that the name must match any particular cert-value (CN, SAN, etc.) Thanks again, Kent -- last-call mailing list last-call@xxxxxxxx https://www.ietf.org/mailman/listinfo/last-call
