Linda Thank you for your review and your comments. I am sorry for responding so late. The co-authors and I wanted to consolidate the feedback to the different reviews. Please see my response to your comment inline below. The latest version of the draft ready for submission and a diff to the latest version on datatracker are available on github: - https://lamps-wg.github.io/cmp-updates/#go.draft-ietf-lamps-rfc4210bis.html - https://author-tools.ietf.org/api/iddiff?doc_1=draft-ietf-lamps-rfc4210bis&url_2=https://lamps-wg.github.io/cmp-updates/draft-ietf-lamps-rfc4210bis.txt Please let me know if the proposed changes sufficiently address your comments. Hendrik > Von: Linda Dunbar via Datatracker <noreply@xxxxxxxx> > Gesendet: Dienstag, 29. Oktober 2024 02:54 > > Reviewer: Linda Dunbar > Review result: Ready > > I am the assigned Gen-ART reviewer for this draft. The General Area Review Team > (Gen-ART) reviews all IETF documents being processed by the IESG for the IETF > Chair. Please treat these comments just like any other last call comments. > > For more information, please see the FAQ at > > <https://wiki.ietf.org/ > %2Fen%2Fgroup%2Fgen%2FGenArtFAQ&data=05%7C02%7Chendrik.brockhaus% > 40siemens.com%7C60570f783a224b00353408dcf7bc8c6c%7C38ae3bcd95794fd4a > ddab42e1495d55a%7C1%7C0%7C638657636383244467%7CUnknown%7CTWFpb > GZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6M > n0%3D%7C0%7C%7C%7C&sdata=HLjgnvShXrixq%2BFAZ%2Bn41Ws90lYZJhF6 > OkbJAuptAC0%3D&reserved=0>. > > Document: draft-ietf-lamps-rfc4210bis-14 > Reviewer: Linda Dunbar > Review Date: 2024-10-28 > IETF LC End Date: 2024-10-23 > IESG Telechat date: Not scheduled for a telechat > > Summary: > The document provides an extensive update to RFC 4210 with significant details on > X.509 PKI management, message formats, and certificate operations. > > Major issues: As I am not an implementer, I can't identify any major issues of the > message formats and operations just from reading them. > > Minor issues: > > Nits/editorial comments: > > Section 4.4 outlines the Root CA Key Update process, including conditions for > maintaining old and new CA key pairs and link certificates. Given the complexity of > this process, additional operational guidance would be beneficial for real-world > scenarios, particularly in scenarios where multiple CA key updates may overlap. The > document could provide examples or recommendations on updating practices, > particularly where different validity periods for certificates and keys could create > unexpected verification issues. [HB] You are right. Continuously updating root CA keys with overlapping validity would benefit from additional guidance. There are already some further documents like Trust Anchor Management Protocol (TAMP) [RFC5934], Trust Anchor Management Requirements [RFC6024], Hash ot Root Key Certificate Extension [RFC8649] that provide additional guidance. This document specifies CMP protocol messages to update root CA keys. It does not claim to discuss the topic in detail. > > Best Regards, > Linda Dunbar > -- last-call mailing list -- last-call@xxxxxxxx To unsubscribe send an email to last-call-leave@xxxxxxxx
