I have been selected as the General Area Review Team (Gen-ART) reviewer for this draft (for background on Gen-ART, please see http://www.alvestrand.no/ietf/gen/art/gen-art-FAQ.html ). Please resolve these comments along with any other Last Call comments you may receive. Document: Specification for the Derivation of Root Keys from an Extended Master Session Key (EMSK) Reviewer: Joel M. Halpern Review Date: 17-March-2008 IETF LC End Date: 17-March-2008? IESG Telechat date: N/A Summary: This document appears ready for publication. Comments: While there has been much discussion on the IETF list of the references to "applications" in this document, I have chosen not to comment on that. It seems to me that the relevant statement is that specific usages are out of scope for this document. The one thing that bothers me a little is the intended status of this document. Given that the EMSK is entirely inside a system, and that therefore the actual generation process is internal to that system, I am not sure that a registry tied to the specifics of the generation mechanism, is appropriate. A lot of this document is of the form "if you don't define it some other way, do this." While very useful text, it actually doesn't seem to affect on-the-wire interoperability. So I wonder if this whole document is more informational than "proposed standard?" I'm not sure on this, but the containment property did strike me reading the document. Minor: While I would guess that the usage is actually the normal usage, the definitions of Usage Specific Root Key, Domain Specific Root Key and Key Management Domain are somewhat confusing for the outside reader. Specifically, the Key Management Domain is defined as being the scope of a given root key. This leads the reader to conclude that any root key is inherently domain specific, because it defines a domain. So how can one have a special kind of "Domain Specific Root Key" that is "restricted to use in a specific key management domain." At a guess it is the difference between a domain defined by the key and a key defined to fit an existing domain. But I hate guessing when it comes to RFCs. Given that the document later defines the domain for DSRK in terms of domain names, "adding "separately defined" or even "defined by a domain name" to the DSRK definition would address this. The last of the requirements (about separation of domain keys and usage keys and avoiding label collision) requires material later in the document in order to be understood. A forward reference would be a good idea, indicating where the domain name and usage key label are described. _______________________________________________ IETF mailing list IETF@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf