IETF Last Call Review of draft-ietf-cose-merkle-tree-proofs-13
review-ietf-cose-merkle-tree-proofs-13-secdir-lc-kaufman-2025-05-22-00

Reviewer: Charlie Kaufman
Review result: Has nits

I have reviewed this document as part of the security directorate's ongoing
effort to review all IETF documents being processed by the IESG.  These
comments were written primarily for the benefit of the security area directors.
 Document editors and WG chairs should treat these comments just like any other
last call comments.

This document assigns three new code points in the IANA registry for COSE
header parameters. While I am somewhat appalled that doing so requires a 27
page RFC that no one will ever read, that is not the fault of the authors who -
to their credit - include example syntax that would be helpful to anyone who
stumbled upon them. This document only defines the code points. The syntax for
the data included at those code points is contained in other documents.

Possible issue for the authors to review and decide whether I'm just confused:

Section 4.2 says "This document establishes a registry of verifiable data
structure algorithms, with the following initial contents:" but IANA
considerations only requests the registration of three new code points rather
than also requesting the creation of a new registry. I don't understand why.

I did not examine the document carefully for typos, but I did notice these:

Section 1, line 3: "proves" should be "proofs"

Section 2, under TBD_0: "one ore more" should be "one or more"

"Merkle" is sometimes capitalized and sometimes not ("merkle"). This is
probably not intended.

      —Charlie