I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. Disclaimer: I'm active in the SIDR WG and have reviewed this draft before. In the big picture, this draft is fine. I have three little requests: -- I would very much like to see an informational reference to the roa-validation draft (already approved for publication), which explains more about how ROAs should be interpreted. -- I made a suggestion in WG last call that appears not to have been addressed by the editors. That was: It might be worthwhile to repeat in section 3 (validation) [now section 4] the requirement from section 7.2 [now 7.3] of the architecture draft that "...a relying party must fetch new ROAs from the repository system before taking any routing action in response to a ROA revocation." -- The Address Family Identifier appears to come out of nowhere in section 3.3. Another mention of RFC3779 is needed when the AFI is introduced. (Previous versions of this draft (07 and earlier) at least told readers which of the allowed values corresponded to IPv4 and IPv6, but even that has been taken out of this version.)