Last Call Review of draft-ietf-sidr-cp-
I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the IESG.
These comments were written primarily for the benefit of the security
area directors. Document editors and WG chairs should treat these
comments just like any other last call comments.
This document describes a certificate policy for Internet number
resource holdings; basically, this is proposed to be the CP for the
routing PKI being proposed in the SIDR WG. As such, it is a bunch of
minutae that relying parties are supposed to care about, but will mostly
accept blindly. This document is closely modeled after RFC 3647, the CP
that is the framework for most CPs we see in the PKIX world.
The security considerations listed in the document seem fine. They call
out the fact that names are not unique in the RPKI (as if they were in
the normal PKIX world...), so that relying parties must not rely just on
the names for chaining, but must also be sure the expected signing key
is used as well. This document could have a zillion more security
considerations aimed at relying parties that don't pay careful
attention, but such text would likely be ignored by the same parties who
ignore the main CP text. Thus, this document is fine as-is.