Secure Zero Touch Provisioning (SZTP)
draft-ietf-netconf-zerotouch-29

Thanks for addressing my discuss point.

Thank you for addressing my DISCUSS and comments!

One nit remains:
Also, "URI" deserve to be a Normative Reference, as it defines the generic syntax you are referring to.

Unfortunately I ran out of time to review this document, so balloting no objection on the basis of the Gen-ART review.

I support Adam's and Alexey's DISCUSS points.

§1.2: I have a bit of discomfort in how the manufacturer/owner business model is encoded into this. In particular, is there any possibility of anonymous owners? How about secondary markets (i.e. transfer of a device between owners) without mediation by the manufacturer.)? But I see this is actually mentioned in the security considerations, so I don't really expect a change.

§3.1, 4th paragraph: The first sentence is convoluted; please consider breaking it into multiple simpler sentences.

- 6th paragraph: The first sentence is even more convoluted.

§5.6, 10th paragraph: I'm not sure how to interpret "MUST try". That doesn't seem verifiable.
-- first bullet under "implementation notes": is "roll out of" the same things as "roll back"?

§9.8:
- 4th paragraph: Can the "best practices" be cited or described? Otherwise, the normative "RECOMMENDED" seems pretty vague. (Or are the next few sentences intended to define those practices?

-5th paragraph: Paragraph is hard to parse.

Thank you for the good discussion and resolution on both my Discuss points and the Comments,
as well as for this clear and considered document and design; it
really lays out the scenario of applicability and the functionality quite
well.

Thanks for this well-written doc.

One quick question which wasn't fully clear to me from the text in the doc: 
If onboarding fails at some point, is the device supposed to iterate over another bootstrapping source or stop completely?

One minor comment:
Maybe spell out TPM and provide a reference.

Thanks for addressing my DISCUSS and comments.