Linda

Thank you for your review and your comments.
I am sorry for responding so late. The co-authors and I wanted to consolidate 
the feedback to the different reviews.

Please see my response to your comment inline below.
The latest version of the draft ready for submission and a diff to the latest 
version on datatracker are available on github:
- https://lamps-wg.github.io/cmp-updates/#go.draft-ietf-lamps-rfc4210bis.html
- 
https://author-tools.ietf.org/api/iddiff?doc_1=draft-ietf-lamps-rfc4210bis&url_2=https://lamps-wg.github.io/cmp-updates/draft-ietf-lamps-rfc4210bis.txt

Please let me know if the proposed changes sufficiently address your comments.

Hendrik


> Von: Linda Dunbar via Datatracker <nore...@ietf.org>
> Gesendet: Dienstag, 29. Oktober 2024 02:54
>
> Reviewer: Linda Dunbar
> Review result: Ready
>
> I am the assigned Gen-ART reviewer for this draft. The General Area Review 
> Team
> (Gen-ART) reviews all IETF documents being processed by the IESG for the IETF
> Chair.  Please treat these comments just like any other last call comments.
>
> For more information, please see the FAQ at
>
> <https://wiki.ietf.org/
> %2Fen%2Fgroup%2Fgen%2FGenArtFAQ&data=05%7C02%7Chendrik.brockhaus%
> 40siemens.com%7C60570f783a224b00353408dcf7bc8c6c%7C38ae3bcd95794fd4a
> ddab42e1495d55a%7C1%7C0%7C638657636383244467%7CUnknown%7CTWFpb
> GZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6M
> n0%3D%7C0%7C%7C%7C&sdata=HLjgnvShXrixq%2BFAZ%2Bn41Ws90lYZJhF6
> OkbJAuptAC0%3D&reserved=0>.
>
> Document: draft-ietf-lamps-rfc4210bis-14
> Reviewer: Linda Dunbar
> Review Date: 2024-10-28
> IETF LC End Date: 2024-10-23
> IESG Telechat date: Not scheduled for a telechat
>
> Summary:
> The document provides an extensive update to RFC 4210 with significant 
> details on
> X.509 PKI management, message formats, and certificate operations.
>
> Major issues: As I am not an implementer, I can't identify any major issues 
> of the
> message formats and operations just from reading them.
>
> Minor issues:
>
> Nits/editorial comments:
>
> Section 4.4 outlines the Root CA Key Update process, including conditions for
> maintaining old and new CA key pairs and link certificates. Given the 
> complexity of
> this process, additional operational guidance would be beneficial for 
> real-world
> scenarios, particularly in scenarios where multiple CA key updates may 
> overlap. The
> document could provide examples or recommendations on updating practices,
> particularly where different validity periods for certificates and keys could 
> create
> unexpected verification issues.

[HB] You are right. Continuously updating root CA keys with overlapping 
validity would benefit from additional guidance. There are already some further 
documents like Trust Anchor Management Protocol (TAMP) [RFC5934], Trust Anchor 
Management Requirements [RFC6024], Hash ot Root Key Certificate Extension 
[RFC8649] that provide additional guidance. This document specifies CMP 
protocol messages to update root CA keys. It does not claim to discuss the 
topic in detail.

>
> Best Regards,
> Linda Dunbar
>

_______________________________________________
Gen-art mailing list -- gen-art@ietf.org
To unsubscribe send an email to gen-art-le...@ietf.org

Reply via email to