Last Call Review of draft-igoe-secsh-x509v3-
I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG. These comments were written primarily for the benefit of the
security area directors. Document editors and WG chairs should treat
these comments just like any other review comments.
The document describes how to use X509 and OCSP within SSH. It is
clearly written, and the security considerations section is
appropriate (it mostly points to the relevant sections in the SSH,
X509, and OCSP RFCs).
I have one nit, which is wording that authors might want to change for
clarity. Section 4 says "The mapping between certificates and host
names is left as an implementation and configuration issue for
implementers and system administrators." I believe that what is
meant is that "The method that the server uses to verify that the host
certificate and key actually belongs to the client host named in the
message is out of scope of this note", to use language from RFC 4252.