Last Call Review of draft-ietf-acme-authority-token-tnauthlist-07
review-ietf-acme-authority-token-tnauthlist-07-secdir-lc-cam-winget-2021-03-25-00

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors.  Document editors and WG chairs should treat
these comments just like any other last call comments.

This document describes the extensions to ACME to allow for a third party Token
Authority also act as the authority and authorization of entities to control a
resource; the use case and motivating scenario described in the draft is for a
telephone authority to be the authority for creating CA types of certificates
for (STIR) delegation.  The document assumes full knowledge of a set of drafts
and is straightforward.  I only have a couple of nits but otherwise I think it
is ready.

NITs:
Section 5.2: the "exp" claim is mute on SHOULD vs MUST, it seems that you would
want to have such a claim so minimally a SHOULD?

Section 5.3: is this optional, may or must?

Section 5.4: personal nit, the section should specify this claim to be a MUST,
it is implicitly stated but would prefer it to be explicit.

Section 6:
 -I presume that "verify the atc field" is actually verifying that the
 TNAuthList token is valid?