Skip to main content

Last Call Review of draft-ietf-lamps-rfc4210bis-14
review-ietf-lamps-rfc4210bis-14-secdir-lc-kelly-2024-10-27-00

Request Review of draft-ietf-lamps-rfc4210bis
Requested revision No specific revision (document currently at 18)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2024-10-23
Requested 2024-10-09
Authors Hendrik Brockhaus , David von Oheimb , Mike Ounsworth , John Gray
I-D last updated 2024-10-27
Completed reviews Tsvart Last Call review of -14 by Colin Perkins (diff)
Genart Last Call review of -14 by Linda Dunbar (diff)
Secdir Last Call review of -14 by Scott G. Kelly (diff)
Opsdir Last Call review of -14 by Ran Chen (diff)
Assignment Reviewer Scott G. Kelly
State Completed
Request Last Call review on draft-ietf-lamps-rfc4210bis by Security Area Directorate Assigned
Posted at https://mailarchive.ietf.org/arch/msg/secdir/Llyj7yel_Vp9fVMNOk0E-l10AW0
Reviewed revision 14 (document currently at 18)
Result Ready
Completed 2024-10-27
review-ietf-lamps-rfc4210bis-14-secdir-lc-kelly-2024-10-27-00
I have reviewed this document as part of the security directorate's ongoing
effort to review all IETF documents being processed by the IESG. These comments
were written primarily for the benefit of the security area directors. Document
editors and WG chairs should treat these comments just like any other last call
comments.

The summary of the review is ready.

From the abstract, this document obsoletes RFC 4210 by including the updates
specified by CMP Updates RFC 9480 Section 2 and Appendix A.2 maintaining
backward compatibility with CMP version 2 wherever possible and obsoletes both
documents.

Because this document is the product a security area working group, I assume
the security considerations have been extensively reviewed already and that
this secdir review is largely pro forma.

I confirmed that the security considerations section consolidates the security
considerations from RFC4210 and RFC9480. There is one new section added: "8.1.
On the Necessity of Proof-Of-Possession". I think the RFC editor may suggest an
update, but I'll comment anyway - the second sentence says, "If an entity
holding a private key obtains a certificate containing the corresponding public
key issued for a different entity, can authenticate as the entity named in the
certificate." I think this might read more smoothly if you add "it" before "can
authenticate".