I have no object to the publication of this document as an RFC. Many thanks to Barry Leiba for his ARTART review.

Hi authors, Hannes, and WG,

Thank you for taking care of my comments. 

All the points raised in my previous ballot [1] were adequately addressed in [2].

One comment about -20 though, Section 6.6 has text that is not specific to that section and should be moved out of the subsection.

Cheers,
Med

[1] https://mailarchive.ietf.org/arch/msg/suit/vVFGeoYo3REHWhPQP2rBbGRenHI/

[2] https://author-tools.ietf.org/iddiff?url1=draft-ietf-suit-mti-18&url2=draft-ietf-suit-mti-20&difftype=--html

# Orie Steele, ART AD, comments for draft-ietf-suit-mti-22 
CC @OR13

* line numbers:
  - https://author-tools.ietf.org/api/idnits?url=https://www.ietf.org/archive/id/draft-ietf-suit-mti-22.txt&submitcheck=True

* comment syntax:
  - https://github.com/mnot/ietf-comments/blob/main/format.md

* "Handling Ballot Positions":
  - https://ietf.org/about/groups/iesg/statements/handling-ballot-positions/

## Comments

Thanks to Barry Leiba for the ARTART review.

### OPTIONAL to MANDATORY?

```
492	   As time progresses, algorithm profiles may loose their MANDATORY
493	   status.  Then, their status will become either OPTIONAL or NOT
494	   RECOMMENDED for new implementations.  Likewise, a profile may be
495	   transitioned from OPTIONAL to NOT RECOMMENDED.  Since it may be
496	   impossible to update certain parts of the IoT device firmware in the
497	   field, such as first stage bootloaders, support for all relevant
498	   algorithms will almost always be required by authoring tools.
```

I wonder if its worth stating explicitly that suites marked OPTIONAL or NOT RECOMMENDED MUST NOT be transitions to MANDATORY.
Just for the sake of clarity to the DEs.


### Why no number assignment for the suite?

```
503	6.1.  Profile: suit-sha256-hmac-a128kw-a128ctr

505	   *  Profile: suit-sha256-hmac-a128kw-a128ctr

507	   *  Status: MANDATORY

509	   *  Digest: -16

511	   *  Auth: 5

513	   *  Key Exchange: -3

515	   *  Encryption: -65534

517	   *  Descriptor Array: [-16, 5, -3, -65534]

519	   *  Reference: Section 3.1 of THIS_DOCUMENT
```

Given the suites builds on COSE, I was expecting to see a number assigned to the suite.
Given that the registration policy is standards action, there does not seem to be a challenge in requesting the assignment of a new number.

Thank you to Linda Dunbar for the GENART review.

** Section 3
   Each profile references specific algorithm identifiers, as defined in
   [IANA-COSE]. 

This reference makes [IANA-COSE] a normative reference.  It is currently informative.

** Section 3.
Since these algorithm identifiers are used in the
   context of the IETF SUIT manifest [I-D.ietf-suit-manifest], they are
   represented using CBOR Object Signing and Encryption (COSE)
   structures as defined in [RFC9052] and [RFC9053].

Same as above. [RFC9053] also appears to be normative.

** Section 6 
   IANA is requested to create a page for "COSE SUIT Algorithm Profiles"
   within the "Software Update for the Internet of Things (SUIT)"
   registry group.  IANA is also requested to create a registry for
   "COSE SUIT Algorithm Profiles" within that registry group.

What is a “page … within SUIT registry group”?  How is that different than the next sentence’s request for a new registry?

** Section 6.  Can the text explicitly define with inline text or by reference the semantics of the IANA column values.  Perhaps reference Section 3.  Consider if it might be clear to align the column names with the names used in Section 3 and Tables 1-6.

# Éric Vyncke, INT AD, comments for draft-ietf-suit-mti-21
CC @evyncke

Thank you for the work put into this document.

Please find below some non-blocking COMMENT points/nits (replies would be appreciated even if only for my own education).

Special thanks to Russ Housley for the shepherd's write-up (using the old template) including the WG consensus *but it lacks* the justification of the intended status.

Other thanks to Lorenzo Corneo, the IoT directorate reviewer (at my request):
https://datatracker.ietf.org/doc/review-ietf-suit-mti-18-iotdir-telechat-corneo-2025-06-26/ (and I have read the dialog with the authors)

I hope that this review helps to improve the document,

Regards,

-éric

## COMMENTS (non-blocking)

### Abstract

Suggestion: swap the first and second paragraphs.

### Section 1

Should the reference to RFC 9124 be repeated in the introduction?

### Section 3

Suggestion: mention that the profiles will be in a IANA registry (with forward reference to IANA considerations). This could also appear in the introduction.

### Section 4.1

Unsure to understand what is meant by "gadget" in `or use gadgets found in the code will need to first extract the code from the target` ...