Reviewer: Charlie Kaufman
Review result: Ready with Nits

I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG.  These comments were written primarily for the benefit of the security area directors.  Document editors and WG chairs should treat these comments just like any other last call comments.

This Standards Track ID extends a family of protocols for limited function devices to obtain certificates from their surrounding environment with the assistance of an on-line manufacturer's authority that can authenticate information as coming from their device. It extends the BRSKI (RFC8995) protocol to deal with devices that prefer to accept incoming initialization requests rather than initiating outbound requests. It does this be defining a new node called a "registrar-agent" that acts as a client to both the to-be-registered "pledge" and the domain registrar.

The protocol is more elaborate that I would have thought necessary and offered a confusing array of options to deal with a variety of environments, but I could find no problems with it.

I found one sentence that I think has some typos, but I can't be sure. In section 3.2, it says:

"The mechanism described in this document presumes the availability of the pledge and the registrar-agent to communicate with another."

I suspect what was meant was:

"The mechanism described in this document presumes the ability of the pledge and the registrar-agent to communicate with one another."