Last Call Review of draft-ietf-sidr-repos-struct-
review-ietf-sidr-repos-struct-secdir-lc-salowey-2011-05-19-00

Request Review of draft-ietf-sidr-repos-struct
Requested rev. no specific revision (document currently at 09)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2011-05-18
Requested 2011-05-07
Authors Geoff Huston, Robert Loomans, George Michaelson
Draft last updated 2011-05-19
Completed reviews Secdir Last Call review of -?? by Joseph Salowey
Secdir Telechat review of -?? by Yaron Sheffer
Assignment Reviewer Joseph Salowey
State Completed
Review review-ietf-sidr-repos-struct-secdir-lc-salowey-2011-05-19
Review completed: 2011-05-19

Review
review-ietf-sidr-repos-struct-secdir-lc-salowey-2011-05-19

I have reviewed this document as part of the security directorate's 
ongoing effort to review all IETF documents being processed by the 
IESG.  These comments were written primarily for the benefit of the 
security area directors.  Document editors and WG chairs should treat 
these comments just like any other last call comments.

In general the draft looks useful, but I think there are a few things that need to be addressed before publication.  

1.   The document asks for a registration for the extension  .roa for Route Origination Authorization, but the discussion of this type is absent from the rest of the document.  
2.   In section 2.2 under certificates it would probably be good to specify the encoding of the certificate since there are different encodings in use (DER, Base64,etc).  
3.   The document is not very specific on what signed objects may consist of.   The security considerations section points out that the repository itself does not provide integrity protection.  The security considerations section should probably also mention that confidentiality is also not provided by the repository or by the signed objects (unless there is some mechanism used to ensure the confidentiality of the data which would need to be specified)  and that data that requires controlled access should not be included in signed objects in the repository.

Thanks,

Joe