Document: draft-ietf-sidr-arch-11 Reviewer: David L. Black Review Date: February 24, 2011 IETF LC End Date: February 21, 2011 Summary: This draft is basically ready for publication, but has nits that should be fixed before publication. First of all, I apologize for the tardiness of this review; I got sick over the past weekend and unable to complete the review at that time. This draft is very well-written - it explains the PKI concepts well and has good organization and flow. Overall, this is a nice piece of work, and an example of what an architecture document should be - a technical overview that leaves the details to other documents. I found a number of minor items that are mostly editorial: (1) Section 4.2 variously describes the repository system as including databases, file systems and possibly web servers as URIs are apparently required. I suggest that the term "directory structured" be used instead of discussing a directory in a file system. I suggest that the required update behavior of the database be described (e.g., how much of full ACID transaction support is required for what sorts or scopes of transactions). It appears that URIs are a required form of addressing (e.g., as the SIA certificate extension contains a URI), and I would suggest discussing the resulting URI requirements on the access protocols in Section 4.3 (e.g., relationship of the URI structure to the RSYNC directory structure). (2) In section 4.3, beyond bulk download of the entire repository contents, is there also a requirement for bulk download of a directory's contents, or bulk download of the entire tree structure rooted at a directory? (3) The last paragraph of Section 5 states that the repository system is untrusted. That statement should be repeated in Section 4's material on repositories. (4) The draft selectively uses RFC 2119 upper case terms and their lower case counterparts. That usage should be carefully double-checked to ensure that the stronger upper case terms are used where needed - here are a couple of examples where upper case may be more appropriate than lower case: - Top of p. 16: "An authority is required to issue a new manifest ..." (required -> REQUIRED ?) - Start of section 7.2: " Whenever a certification authority ..., it must perform a key rollover procedure." (must -> MUST ?) (5) Item 1 in Section 6 on Local Cache Maintenance says: 1. Query the registry system to obtain a copy of all certificates, manifests and CRLs issued under the PKI. Was "repository" intended instead of "registry"? Item 3 is related and uses the term "repository". (6) idnits 2.12.07 earned its keep by finding a bunch of nits: ** There are 2 instances of too long lines in the document, the longest one being 18 characters in excess of 72. == The document seems to use 'NOT RECOMMENDED' as an RFC 2119 keyword, but does not include the phrase in its RFC 2119 key words list. == Missing Reference: 'RFC3 779' is mentioned on line 166, but not defined == Missing Reference: 'RFC 5871' is mentioned on line 647, but not defined == Unused Reference: 'SIDR-ALG' is defined on line 1040, but no explicit reference was found in the text == Unused Reference: 'PROVISION' is defined on line 1058, but no explicit reference was found in the text == Unused Reference: 'RFC 5781' is defined on line 1062, but no explicit reference was found in the text -- No information found for draft-ietf-sidr-rpki-signed-object - is the name correct? -- No information found for draft-ietf-sidr-rescert-provisioning - is the name correct?