I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This I-D is a part of RPKI infrastructure built in the SIDR WG. And this document defines a framework for certificate management interactions between a resource issuer and a resource recipient. I am not following the SIDR working group and thus I found it quite hard to review this draft. (So sorry for the big delay, it took me a while to find a time get at least quick introduction into RPKI.) I read the document and the security considerations and I consider them well thought, but there are some parts which are a bit confusing for someone not involved in the whole RPKI stuff. 1. I think that you should move the I-D.sidr-arch and I-D.sidr-res-certs from Informative to Normative References. The document uses much of the terminology ("resources", "Resource Certificates", etc.) which cannot be understood without reading at least those two. 2. In the terminology and the scope you use terms "Certificates" and "Certificate Authority" and it's not clear if you talk about X.509 or RPKI. I think you should add few sentences from I-D.sidr-res-certs to explain the very basics of Resource Certificates to the reader of this draft. Apart from the difficulty to understand the document I found that all my concerns from reading the draft were addressed in the security considerations. However I would recommend to review the security of the output of the SIDR WG as a whole, because it defines quite an important infrastructure which will have an impact on the IPv4/6 resource handling. Personally I think that I may have overlooked something by reviewing just this one document without thorough review of all related drafts. O. -- OndÅej Surà vedoucà vÃzkumu/Head of R&D department ------------------------------------------- CZ.NIC, z.s.p.o. -- LaboratoÅe CZ.NIC Americka 23, 120 00 Praha 2, Czech Republic mailto:ondrej.sury at nic.cz http://nic.cz/ tel:+420.222745110 fax:+420.222745112 -------------------------------------------