Last Call Review of draft-wallace-est-alt-challenge-04

Request Review of draft-wallace-est-alt-challenge
Requested rev. no specific revision (document currently at 08)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2016-03-15
Requested 2016-02-11
Authors Max Pritikin, Carl Wallace
Draft last updated 2016-03-23
Completed reviews Genart Last Call review of -04 by Elwyn Davies (diff)
Genart Telechat review of -05 by Elwyn Davies (diff)
Secdir Last Call review of -04 by Alexey Melnikov (diff)
Opsdir Last Call review of -04 by Rick Casarez (diff)
Assignment Reviewer Alexey Melnikov 
State Completed
Review review-wallace-est-alt-challenge-04-secdir-lc-melnikov-2016-03-23
Reviewed rev. 04 (document currently at 08)
Review result Ready
Review completed: 2016-03-23


I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG. These comments were written primarily for the benefit of the
security area directors. Document editors and WG chairs should treat
these comments just like any other last call comments.

This document defines the otpChallenge attribute for use when a one-
time password (OTP) value within the CSR is a requirement.  The
revocationChallenge attribute is defined to allow disambiguated usage
of the original challenge password attribute semantics for
certificate revocation.  The estIdentityLinking attribute is defined
to reference existing EST challenge password semantics with no
potential for confusion with legacy challenge password practices.
These attributes provide disambiguation of the existing
overloaded uses for the challengePassword attribute defined in PKCS
(Public-Key Cryptography Standards) #9 [RFC2985].
The Security Consideration seems adequate.

I found one issue in the ASN.1 module in Appendix A, but it was fixed in 

the most recent version. So the document is ready for publication.