Supply Chain Integrity, Transparency, and Trust (SCITT) Reference APIs
draft-ietf-scitt-scrapi-10

Discuss

Éric Vyncke
Mike Bishop

Yes

Deb Cooley

No Objection

Andy Newton
Charles Eckel
Gorry Fairhurst
Gunter Van de Velde
Jim Guichard
Ketan Talaulikar
Mohamed Boucadair
Roman Danyliw

Recuse

Christopher Inacio

No Record

Mahesh Jethanandani
Tommy Jensen

Summary: Has 2 DISCUSSes. Has enough positions to pass once DISCUSS positions are resolved.

Éric Vyncke
Discuss
Discuss (2026-05-17) Sent 
# Éric Vyncke INT AD comments for draft-ietf-scitt-scrapi-10
CC @evyncke

Thank you for the work put into this document.

Please find below some blocking DISCUSS points (easy to address), some non-blocking COMMENT points/nits (replies would be appreciated even if only for my own education).

Special thanks to Amaury Chamayou for the shepherd's write-up including the WG consensus _and_ the justification of the intended status.

I hope that this review helps to improve the document,

Regards,

-éric

Note: this ballot comments follow the Markdown syntax of https://github.com/mnot/ietf-comments/tree/main, i.e., they can be processed by a tool to create github issues.

## DISCUSS (blocking)

As noted in https://datatracker.ietf.org/doc/statement-iesg-handling-ballot-positions-20220121/, a DISCUSS ballot is a request to have a discussion on the points below; I really think that the document would be improved with a change here, but can be convinced otherwise.

### Section 2

Is there any constrain in which language is the `human-readable` ? MUST it be US English ? It may be implicit due to HTTP protocol though, then I will obviously stand corrected.

### Use of SHOULD

There are several `SHOULD` in the document that could easily be a `MUST`. E.g., section 2 `Clients SHOULD treat`, section 2.1 `SHOULD include Accept: application/cbor in the request`. So, either change the `SHOULD` in `MUST` or provide guidance when the `SHOULD` can be bypassed. Currently, it is really ambiguous.

See also https://datatracker.ietf.org/doc/statement-iesg-statement-on-clarifying-the-use-of-bcp-14-key-words/
Comment (2026-05-17) Sent 
## COMMENTS (non-blocking)

### Med's DISCUSS

I support Med Boucadair's DISCUSS point about the apparent conflict between `MUST` and `MAY`.

### Abstract

s/This document describes/This document *specifies*/ as this I-D aims for PS.

### Section 1

`The following resources MUST be implemented for conformance to this specification`, unsure whether the IETF is in the business of defining "conformance". Also, as all the refered sections are normative, this paragraph is fully redundant.

### Section 2

In the HTML rendering, it is unclear whether `* title:` is part of the numbered list just above. It also needs some leading text.
Mike Bishop
Discuss
Discuss (2026-05-18) Sent 
Thank you for your work on this document. It's clear that you've taken a lot of care with the interaction with HTTP and incorporated much of Darrel Miller's HTTP Directorate review (https://datatracker.ietf.org/doc/review-ietf-scitt-architecture-01-httpdir-early-miller-2023-04-24/). I'm sorry we didn't succeed in getting you a Last Call review following up on that.

# IESG review of draft-ietf-scitt-scrapi-10

CC @MikeBishop

## Discuss

### Section 2.4.1, paragraph 2
```
     If the client requests (GET) the location when the registration is
     still in progress, the TS MAY return a 302 Found, as in this non-
     normative example:
```
I'm a bit uncomfortable with the idea of a 302 redirect from a resource to
itself. Redirects to the same URI don't really fit into any of the categories
described in Section 15.4 of RFC 9110.

Fundamentally, I think you need to decide whether this resource represents the
operation or the result. If it represents the operation, it should return a 200
and a description of the operation's status (complete, in-progress, failed,
etc.); completed operations will include the URL of the result or might redirect
there.

If it represents the result itself, it won't exist (404) until the operation
completes.
Comment (2026-05-18) Sent 
## Comments

### Section 2.2, paragraph 12
```
     If the kid values used by the service ({kid_value} in the request
     above) are not URL-safe, the resource MUST accept the base64url
     encoding of the kid value, without padding, in the URL instead.
```
Does this imply that clients determine the request format based on whether the
kid_value they're querying is URL-safe? Can a client infer whether *all* kid
values are URL-safe based on examining one kid?

I'd be inclined to make this say either that resources must exist for both the
raw kid value (if URL-safe) and the base64url-encoded value, or that a server
publishes somewhere whether it commits to URL-safe kid values.

### Section 2.3.2, paragraph 1

I would have expected 202 here, but 303 also seems defensible. No
change necessarily required, just review the definitions of each to be sure.

### Section 2.4.1, paragraph 3
```
     The location MAY be temporary, and the service may not serve a
     relevant response at this Location after a reasonable delay.
```
There are several instances of this sentence; I'd suggest a slight rephrase
throughout to
ensure "may not serve" is read as permission not to serve rather than a
prohibition on serving. "...the server might remove the resource after a
reasonable delay."

### Missing references

No reference entries found for these items, which were mentioned in the text:
`[RFC9162]` and `[RFC7231]`.

(But note that 7231 is obsoleted by 9110, so you probably want to update that
text rather than adding the reference.)

## Nits

All comments below are about very minor potential issues that you may choose to
address in some way - or ignore - as you see fit. Some were flagged by
automated tools (via https://github.com/larseggert/ietf-reviewtool), so there
will likely be some false positives. There is no need to let me know what you
did with these suggestions.

### Typos

#### Section 2.1, paragraph 9
```
-    The Transparency Service MAY stop returning at that resource the keys
-                                                ---------------------
```

### Section 6.1.1, paragraph 2
```
     URI suffix: scitt-keys Change controller: IETF Specification
     document(s): RFCthis Status: Permanent Related information:
     [I-D.draft-ietf-scitt-architecture]
```
I suspect this is not the formatting you intended for this list.

### Grammar/style

#### Section 2.3.1, paragraph 5
```
 "Signed Statement contained a non supported algorithm" } HTTP/1.1 400 Bad Re
                               ^^^^^^^^^^^^^
```
This expression is usually spelled with a hyphen.

#### Section 2.4.1, paragraph 7
```
 "Signed Statement contained a non supported algorithm" } HTTP/1.1 400 Bad Re
                               ^^^^^^^^^^^^^
```
This expression is usually spelled with a hyphen.

#### Section 2.4.5, paragraph 1
```
f authorization or preventing denial of service attacks. If Authentication i
                              ^^^^^^^^^^^^^^^^^
```
It appears that hyphens are missing.

#### Section 2.5.1, paragraph 3
```
al of Service Attacks While denial of service attacks are very hard to defen
                            ^^^^^^^^^^^^^^^^^
```
It appears that hyphens are missing.

#### Section 2.5.2, paragraph 4
```
 limited risk to eavesdropping. Nonetheless transparency may mean 'within a
                                ^^^^^^^^^^^
```
A comma may be missing after the conjunctive/linking adverb "Nonetheless".
Deb Cooley
Yes
Andy Newton
No Objection
Comment (2026-05-19) Sent 
I support Mike Bishop's DISCUSS on the 302.
Charles Eckel
No Objection
Comment (2026-05-19) Sent 
I support Mike Bishop's DISCUSS on the use of 302 in section 2.4.1. 
202 seems more appropriate.
Gorry Fairhurst
No Objection
Comment (2026-05-10 for -09) Sent 
This document does not spoecify a tranport mechanism, and I have transport review comments.

Please find the following (non-blocking) COMMENTS:

- There are two sentences that follow one another, and do not read correctly, please consider combining these:

"Section 2 of [RFC7515] specifies Base64Url encoding as follows: [RFC7515] specifies Base64url encoding as follows:"

Gorry
Gunter Van de Velde
No Objection
Jim Guichard
No Objection
Ketan Talaulikar
No Objection
Mohamed Boucadair
(was Discuss) No Objection
Comment (2026-05-18) Sent 
Hi Henk, Jon, and Antoine, 

Thank you for the changes made in -10 [1]. These address all comments in my previous ballot [2]. Much appreciated.

# I have one minor comment for -10: RFC8792 has this MUST: 

"7.1.  Folded Structure

   Text content that has been folded as specified by this strategy MUST
   adhere to the following structure.

7.1.1.  Header

   The header is two lines long.

   The first line is the following 36-character string; this string MAY
   be surrounded by any number of printable characters.  This first line
   cannot itself be folded.

   NOTE: '\' line wrapping per RFC 8792
"

However, many of the snippets with folding in the draft do not have the required surrounding note such as in 

CURRENT:

   HTTP/1.1 400 Bad Request
   Content-Type: application/concise-problem-details+cbor

   {
     / title /         -1: \
             "Bad Signature Algorithm",
     / detail /        -2: \
             "Signed Statement contained a non supported algorithm"
   }

Cheers,
Med

[1] https://author-tools.ietf.org/iddiff?url1=draft-ietf-scitt-scrapi-09&url2=draft-ietf-scitt-scrapi-10&difftype=--html

[2] https://mailarchive.ietf.org/arch/msg/scitt/aynYWkU1mIR1CD8YF5YHXi7S7jI/
Roman Danyliw
No Objection
Comment (2026-05-18) Not sent 
Thank you to Gyan Mishra for the GENART review.
Christopher Inacio
Recuse
Comment (2026-05-19) Sent 
The document has improved since I was WG Chair for this document.  I thank all the feedback provided to the authors and the authors hard work for the improvements.  Since I was WG Chair during the development up to submission of this document, I recuse.
Mahesh Jethanandani
No Record
Tommy Jensen
No Record