Early Review of draft-ietf-lamps-rfc7030-csrattrs-08
review-ietf-lamps-rfc7030-csrattrs-08-secdir-early-smyslov-2024-04-03-00

I have reviewed this document as part of the security directorate's ongoing
effort to review all IETF documents being processed by the IESG.  These
comments were written primarily for the benefit of the security area directors.
 Document editors and WG chairs should treat these comments just like any other
last call comments.

The draft aims to update RFC 7030 (Enrollment over Secure Transport) to
eliminate ambiguity that may arise when EST server wants the client to send
particular attribute values in the certificate request.

The draft states that the security considerations from RFC7030 are unchanged
and I tend to agree. The new mechanism may also increase privacy of the client
if the EST server specifies a new opaque identifier for IDevID (which is stated
in the draft).

Nits:
1. This draft updates RFC 7030, but this is not indicated in its header.

2. It seems to me that definition of id-aa-certificationRequestInfoTemplate
   in the Section 3.3 and in the Appendix A lacks the name of the new element
   in OID (only value "TBD2" is present).

3. Section 3.2, typo: s/MUST by/MUST be

4. Section 3.3, typo, perhaps: s/The avoid this drawback/To avoid this drawback

5. Section 3.3, possible typo: s/The SubjectPublicKeyInfo field must be
present/The SubjectPublicKeyInfo field MUST be present