IETF Last Call Review of draft-ietf-cose-cbor-encoded-cert-16
review-ietf-cose-cbor-encoded-cert-16-genart-lc-housley-2026-01-28-00

Request Review of draft-ietf-cose-cbor-encoded-cert
Requested revision No specific revision (document currently at 17)
Type IETF Last Call Review
Team General Area Review Team (Gen-ART) (genart)
Deadline 2026-02-10
Requested 2026-01-27
Authors John Preuß Mattsson , Göran Selander , Shahid Raza , Joel Höglund , Martin Furuhed
I-D last updated 2026-04-15 (Latest revision 2026-03-02)
Completed reviews Dnsdir IETF Last Call review of -16 by Ted Lemon (diff)
Genart IETF Last Call review of -16 by Russ Housley (diff)
Secdir IETF Last Call review of -16 by Corey Bonnell (diff)
Dnsdir Telechat review of -17 by Ted Lemon
Secdir Telechat review of -17 by Corey Bonnell
Assignment Reviewer Russ Housley
State Completed
Request IETF Last Call review on draft-ietf-cose-cbor-encoded-cert by General Area Review Team (Gen-ART) Assigned
Posted at https://mailarchive.ietf.org/arch/msg/gen-art/4O7W5_vTgjkbuIkcgXuwVSMY7Yo
Reviewed revision 16 (document currently at 17)
Result Ready w/nits
Completed 2026-01-28
review-ietf-cose-cbor-encoded-cert-16-genart-lc-housley-2026-01-28-00
I am the assigned Gen-ART reviewer for this draft. The General Area
Review Team (Gen-ART) reviews all IETF documents being processed
by the IESG for the IETF Chair. Please treat these comments just
like any other last call comments.

For more information, please see the FAQ at
<https://wiki.ietf.org/en/group/gen/GenArtFAQ>.

Document: draft-ietf-cose-cbor-encoded-cert-16
Reviewer: Russ Housley
Review Date: 2026-01-28
IETF LC End Date: 2026-02-10
IESG Telechat date: unknown


Summary: Ready with Nits


Major Concerns:  None


Minor Concerns:

Section 1: The two types of C509 certificates (CBOR encoding of DER-
encoded X.509 certificates and natively signed C509 certificates) is
discussed at the beginning of the introduction and the end of the
introduction.  It would be more desirable to talk about this in only
one spot.

Section 1 says:

   The use of CBOR also reduces code complexity, code
   size, memory usage, and CPU usage.

This is not true for the case where C509 carries a signature on the
X.509 certificate.  Please add some qualification.

Figure 5: It would be good to see an ML-DSA certificate in this table.
The public key and signature will not compress, so the comparison will
help implementeres determine whether C509 is worth the time to write
the code.


Nits:

General: s/DER encoded/DER-encoded/ (many places)

General: s/Weierstraß/Weierstrass/ (for string search in other RFCs)

Section 1: s/We recommend implementors to get used/Implementors can get used/

Section 3: s/DER encoded [RFC5280] X.509 certificates/
            /DER-encoded X.509 certificates [RFC5280]/

Section 6: s/DER encoded RFC 2986 CertificationRequestInfo/
            /DER-encoded CertificationRequestInfo [RFC2986]/


Additional Thoughts:

1.  Section 4: It would be easy to add support for the attribute
specified in RFC 9883.  If ML-DSA and ML-KEM achieve wide deployment
outside the Web PKI, support for this CSR attribute will be needed.  I do
not want to delay approval of this document, bit is looks like this would
be a straightforward addition.

2.  There is an Internet-Draft for otherName that contains a MAC address
going through the LAMPS WG.  Based on Section 3.1.4 that has special logic
for EUI-64, this may be of value to some implementers.  We can get an early
assignment of the OID is there is interest in adding support for this new
otherName form to this document.  If so, it may deserve some language in
Section 3.3.