Telechat Review of draft-ietf-drip-auth-46
review-ietf-drip-auth-46-intdir-telechat-bernardos-2024-01-29-00

I am an assigned INT directorate reviewer for <draft-ietf-drip-auth>. These
comments were written primarily for the benefit of the Internet Area Directors.
Document editors and shepherd(s) should treat these comments just like they
would treat comments from any other IETF contributors and resolve them along
with any other Last Call comments that have been received. For more details on
the INT Directorate, see https://datatracker.ietf.org/group/intdir/about/.

Please note that this particular document is really outside of my area of
expertise [1].

Based on my review, if I was on the IESG I would ballot this document as NO
OBJECTION.

The only issue/comment I have is on the use of the DNS indicated in the
document:

   An Observer SHOULD query DNS for the UA's HI.  If not available it
   may have been revoked.  Note that accurate revocation status is a
   DIME inquiry; DNS non-response is a hint that a DET is expired or
   revoked.  It MAY be retrieved from a local cache, if present.  The
   local cache is typically populated by DNS lookups and/or by received
   Broadcast Endorsements (Section 3.1.2).

I think additional details would be helpful on the assumptions of the DNS
security mechanisms that are assumed are in place for this to work (or to make
this not subject of attacks).

The following are minor issues (typos, misspelling, minor text improvements)
with the document:

- Expand DRIP in the introduction (it is done in the abstract, but I think it
improves readability if done also the first time the term is used in the main
body of the document).

Thanks,

Carlos

[1] I should have probably realized this when assigning this document to myself
for review, thus I owe another apology.