Ballot for draft-ietf-lamps-8410-ku-clarifications
Yes
No Objection
Note: This ballot was opened for revision 01 and is now closed.
Comments: I agree with John that it seems odd to have a valid ee certificate contain only cRLSign. The text could use a cleanup to split ee-cert from crl issuer cert more clearly, although I think the intention here is obvious. There is 1 verified and 3 reported erratas in 8410. These could also be fixed by this document update, although a "patch style" update as done here is probably not that different from the existing errata entries, so not a blocker for me. nits: The link for "Section 5" points to the section 5 of this document, instead of that of RFC 8410. Likely a tooling issue.
# GEN AD review of draft-ietf-lamps-8410-ku-clarifications-01 CC @larseggert Thanks to Joel Halpern for the General Area Review Team (Gen-ART) review (https://mailarchive.ietf.org/arch/msg/gen-art/ew0t0iQJ9IgBKVrgvsSKviAbMcI). ## Notes This review is in the ["IETF Comments" Markdown format][ICMF], You can use the [`ietf-comments` tool][ICT] to automatically convert this review into individual GitHub issues. Review generated by the [`ietf-reviewtool`][IRT]. [ICMF]: https://github.com/mnot/ietf-comments/blob/main/format.md [ICT]: https://github.com/mnot/ietf-comments [IRT]: https://github.com/larseggert/ietf-reviewtool
The introduction is pretty careful about enumerating the changes, but it doesn't mention that new section adds CRL issuer certificates for id-Ed25519 or id-Ed448, and end-entity certificates now have the option of including cRLSign to comply with the spec. Is it correct that an end-entity certificate could solely include cRLSign and be valid? The text says so. I don't know the protocol but that seems counter-intuitive to me.