Secure Zero Touch Provisioning (SZTP)
RFC 8572

Note: This ballot was opened for revision 25 and is now closed.

Ignas Bagdonas Yes

Alvaro Retana Yes

Deborah Brungard No Objection

(Ben Campbell) No Objection

Comment (2018-12-05 for -25)
I support Adam's and Alexey's DISCUSS points.

§1.2: I have a bit of discomfort in how the manufacturer/owner business model is encoded into this. In particular, is there any possibility of anonymous owners? How about secondary markets (i.e. transfer of a device between owners) without mediation by the manufacturer.)? But I see this is actually mentioned in the security considerations, so I don't really expect a change.

§3.1, 4th paragraph: The first sentence is convoluted; please consider breaking it into multiple simpler sentences.

- 6th paragraph: The first sentence is even more convoluted.

§5.6, 10th paragraph: I'm not sure how to interpret "MUST try". That doesn't seem verifiable.
-- first bullet under "implementation notes": is "roll out of" the same things as "roll back"?

§9.8:
- 4th paragraph: Can the "best practices" be cited or described? Otherwise, the normative "RECOMMENDED" seems pretty vague. (Or are the next few sentences intended to define those practices?

-5th paragraph: Paragraph is hard to parse.

Alissa Cooper No Objection

Comment (2018-12-06 for -25)
Unfortunately I ran out of time to review this document, so balloting no objection on the basis of the Gen-ART review.

(Spencer Dawkins) No Objection

Benjamin Kaduk (was Discuss) No Objection

Comment (2019-01-05 for -27)
Thank you for the good discussion and resolution on both my Discuss points and the Comments,
as well as for this clear and considered document and design; it
really lays out the scenario of applicability and the functionality quite
well.

Suresh Krishnan (was Discuss) No Objection

Comment (2018-12-21 for -26)
Thanks for addressing my DISCUSS and comments.

Mirja Kühlewind No Objection

Comment (2018-11-30 for -25)
Thanks for this well-written doc.

One quick question which wasn't fully clear to me from the text in the doc: 
If onboarding fails at some point, is the device supposed to iterate over another bootstrapping source or stop completely?

One minor comment:
Maybe spell out TPM and provide a reference.

Alexey Melnikov (was Discuss) No Objection

Comment (2018-12-21 for -26)
Thank you for addressing my DISCUSS and comments!

One nit remains:
Also, "URI" deserve to be a Normative Reference, as it defines the generic syntax you are referring to.

Adam Roach (was Discuss) No Objection

Comment (2018-12-20 for -26)
Thanks for addressing my discuss point.

Martin Vigoureux No Objection