Last Call Review of draft-ietf-sidr-bgpsec-pki-profiles-21

Request Review of draft-ietf-sidr-bgpsec-pki-profiles
Requested rev. no specific revision (document currently at 21)
Type Last Call Review
Team Ops Directorate (opsdir)
Deadline 2016-12-19
Requested 2016-12-05
Authors Mark Reynolds, Sean Turner, Stephen Kent
Draft last updated 2017-03-02
Completed reviews Genart Last Call review of -18 by Dale Worley (diff)
Secdir Last Call review of -19 by Yaron Sheffer (diff)
Opsdir Last Call review of -21 by Will LIU
Genart Telechat review of -19 by Dale Worley (diff)
Assignment Reviewer Will LIU 
State Completed
Review review-ietf-sidr-bgpsec-pki-profiles-21-opsdir-lc-liu-2017-03-02
Reviewed rev. 21
Review result Ready
Review completed: 2017-03-02


Hi all,

Sorry that it seems I missed this review request. I guess it's the first one assigned to me via the new review system.

I have reviewed draft-ietf-sidr-bgpsec-pki-profiles-21 as part of the Operational directorate's ongoing effort to review all IETF documents being processed by the IESG.  These comments were written with the intent of improving the operational aspects of the IETF drafts. Comments that are not addressed in last call may be included in AD reviews during the IESG review.  Document editors and WG chairs should treat these comments just like any other last call comments.

“This document defines a standard profile for X.509 certificates used
   to enable validation of Autonomous System (AS) paths in the Border
   Gateway Protocol (BGP), as part of an extension to that protocol
   known as BGPsec.  BGP is the standard for inter-domain routing in the
   Internet; it is the "glue" that holds the Internet together. BGPsec
   is being developed as one component of a solution that addresses the
   requirement to provide security for BGP.  The goal of BGPsec is to
   provide full AS path validation based on the use of strong
   cryptographic primitives.  The end-entity (EE) certificates specified
   by this profile are issued to routers within an Autonomous System. 
   Each of these certificates is issued under a Resource Public Key
   Infrastructure (RPKI) Certification Authority (CA) certificate. 
   These CA certificates and EE certificates both contain the AS
   Identifier Delegation extension.  An EE certificate of this type
   asserts that the router(s) holding the corresponding private key are
   authorized to emit secure route advertisements on behalf of the
   AS(es) specified in the certificate.  This document also profiles the
   format of certification requests, and specifies Relying Party (RP)
   certificate path validation procedures for these EE certificates.
   This document extends the RPKI; therefore, this documents updates the
   RPKI Resource Certificates Profile (RFC 6487).”

My overall view of the document is 'Ready' for publication.

** Technical **

** Editorial **

*Section 4

>BGPsec Router Certificates always include the BGPsec Rouer EKU
>     value; therefore, request without the value result in certificates
>     with the value; and,