Note: This ballot was opened for revision 25 and is now closed.
I support Adam's and Alexey's DISCUSS points. §1.2: I have a bit of discomfort in how the manufacturer/owner business model is encoded into this. In particular, is there any possibility of anonymous owners? How about secondary markets (i.e. transfer of a device between owners) without mediation by the manufacturer.)? But I see this is actually mentioned in the security considerations, so I don't really expect a change. §3.1, 4th paragraph: The first sentence is convoluted; please consider breaking it into multiple simpler sentences. - 6th paragraph: The first sentence is even more convoluted. §5.6, 10th paragraph: I'm not sure how to interpret "MUST try". That doesn't seem verifiable. -- first bullet under "implementation notes": is "roll out of" the same things as "roll back"? §9.8: - 4th paragraph: Can the "best practices" be cited or described? Otherwise, the normative "RECOMMENDED" seems pretty vague. (Or are the next few sentences intended to define those practices? -5th paragraph: Paragraph is hard to parse.
Unfortunately I ran out of time to review this document, so balloting no objection on the basis of the Gen-ART review.
Thank you for the good discussion and resolution on both my Discuss points and the Comments, as well as for this clear and considered document and design; it really lays out the scenario of applicability and the functionality quite well.
Thanks for addressing my DISCUSS and comments.
Thanks for this well-written doc. One quick question which wasn't fully clear to me from the text in the doc: If onboarding fails at some point, is the device supposed to iterate over another bootstrapping source or stop completely? One minor comment: Maybe spell out TPM and provide a reference.
Thank you for addressing my DISCUSS and comments! One nit remains: Also, "URI" deserve to be a Normative Reference, as it defines the generic syntax you are referring to.
Thanks for addressing my discuss point.