[Ballot comment]
1. I agree with Adrian's comment that the term 'conservative' in the introductory section needs to be explained or dropped

2. The note in the IANA considerations section is for the RFC Editor - doesn't matter too much though as it instructs to take our the null content section.

[Ballot comment]
I have a couple of comments that don't merit a Discuss, but I would be
grateful if the authors thought about them and made any necessary
changes.

---

I found Section 1...
  This document defines a conservative procedure
...ambiguous. I think that "conservative" needs to be qualified in some
way. conservative with respect to conserving keys? Not changing keys
often? Not requiring many messages? Not risking security?

---

There are a couple of uses of SHOULD which I feel would benefit from an
explanation of how/why a variation MAY be allowed. In one case, I am
relatively sure you mean MUST rather than SHOULD, viz.

  To perform a key rollover operation the CA MUST perform the following
  steps in the order given here.  Unless specified otherwise each step
  SHOULD be performed without any intervening delay.  The process MUST
  be run through to completion.

That is, the variance is already handled by "unless specified otherwise"
so there is no further scope for variance.

[Ballot comment]
4.1 - is it really wise to encourage (even obliquely)
re-use of serial numbers? I'd say  s/MAY change/SHOULD
change/ there would be better.

If making that change, it'd be good to say when its ok
to re-use  serial numbers - that could be when an internal
DB design uses certificate.serialNumber as a DB
key which may be silly but has been done.

State changed to In Last Call from Last Call Requested.

The following Last Call Announcement was sent out:

From: The IESG <iesg-secretary@ietf.org>
To: IETF-Announce <ietf-announce@ietf.org>
CC: <sidr@ietf.org>
Reply-To: ietf@ietf.org
Subject: Last Call: <draft-ietf-sidr-keyroll-06.txt> (CA Key Rollover in the RPKI) to BCP


The IESG has received a request from the Secure Inter-Domain Routing WG
(sidr) to consider the following document:
- 'CA Key Rollover in the RPKI'
  <draft-ietf-sidr-keyroll-06.txt> as a BCP

The IESG plans to make a decision in the next few weeks, and solicits
final comments on this action. Please send substantive comments to the
ietf@ietf.org mailing lists by 2011-05-18. Exceptionally, comments may be
sent to iesg@ietf.org instead. In either case, please retain the
beginning of the Subject line to allow automated sorting.

The file can be obtained via
http://datatracker.ietf.org/doc/draft-ietf-sidr-keyroll/

IESG discussion can be tracked via
http://datatracker.ietf.org/doc/draft-ietf-sidr-keyroll/


No IPR declarations have been submitted directly on this I-D.

  (1.a) Who is the Document Shepherd for this document? Has the
        Document Shepherd personally reviewed this version of the
        document and, in particular, does he or she believe this
        version is ready for forwarding to the IESG for publication?

The document shepherd is Sandra Murphy, sidr co-chair.  The document
shepherd has personally reviewed the document.  No issues were
discovered that would prevent advancement.  This document is ready
for forwarding to the IESG.

  (1.b) Has the document had adequate review both from key WG members
        and from key non-WG members? Does the Document Shepherd have
        any concerns about the depth or breadth of the reviews that
        have been performed?

This document was created in July 2010 by extraction of a portion
of the res-certs draft that had been in the draft for two years.
So while the working group has not had a long opportunity to review
the draft separately, the text has been subject to review as part of
the parent draft for quite a while.  On its own, it was presented at
the IETF 79.  The working group last call brought forth a few
comments that were quickly dealt with.  The shepherd has no concerns
about the level of review of the draft.

  (1.c) Does the Document Shepherd have concerns that the document
        needs more review from a particular or broader perspective,
        e.g., security, operational complexity, someone familiar with
        AAA, internationalization or XML?

No, the document shepherd has no concerns about this document.

  (1.d) Does the Document Shepherd have any specific concerns or
        issues with this document that the Responsible Area Director
        and/or the IESG should be aware of? For example, perhaps he
        or she is uncomfortable with certain parts of the document, or
        has concerns whether there really is a need for it. In any
        event, if the WG has discussed those issues and has indicated
        that it still wishes to advance the document, detail those
        concerns here. Has an IPR disclosure related to this document
        been filed? If so, please include a reference to the
        disclosure and summarize the WG discussion and conclusion on
        this issue.

The document shepherd has no concerns with advancing this document. No
IPR claims have been filed against this document.

  (1.e) How solid is the WG consensus behind this document? Does it
        represent the strong concurrence of a few individuals, with
        others being silent, or does the WG as a whole understand and
        agree with it?

The working group has actively participated in discussions of this
topic, on list and in IETF presentations. The last call response
indicated broad support.

  (1.f) Has anyone threatened an appeal or otherwise indicated extreme
        discontent? If so, please summarise the areas of conflict in
        separate email messages to the Responsible Area Director. (It
        should be in a separate email because this questionnaire is
        entered into the ID Tracker.)

No appeals have been issued or threatened for this document.

  (1.g) Has the Document Shepherd personally verified that the
        document satisfies all ID nits? (See the Internet-Drafts Checklist
        and http://tools.ietf.org/tools/idnits/). Boilerplate checks are
        not enough; this check needs to be thorough. Has the document
        met all formal review criteria it needs to, such as the MIB
        Doctor, media type and URI type reviews?

The tools site idnits tool reports:

      Summary: 0 errors (**), 1 warning (==), 1 comment (--).

The warning is a formatting issue with form feeds and the comment has to
do with the document date.


  (1.h) Has the document split its references into normative and
        informative? Are there normative references to documents that
        are not ready for advancement or are otherwise in an unclear
        state? If such normative references exist, what is the
        strategy for their completion? Are there normative references
        that are downward references, as described in [RFC3967]? If
        so, list these downward references to support the Area
        Director in the Last Call procedure for them [RFC3967].

Yes, the document has split its references into normative and informative
sections.  This document relies normatively on several other
working group documents that are advancing at the same time or
have been through last call and are awaiting a final version addressing
minor comments.  This document is intended for BCP status and one reference
is a standards track draft.  The idnits tool does not signal a downref
problem with that reference.  The general issue of producing a BCP
document with references to standards track documents has been raised
with the routing ADs as it occurs with other drafts in the working
group.

  (1.i) Has the Document Shepherd verified that the document IANA
        consideration section exists and is consistent with the body
        of the document? If the document specifies protocol
        extensions, are reservations requested in appropriate IANA
        registries? Are the IANA registries clearly identified? If
        the document creates a new registry, does it define the
        proposed initial contents of the registry and an allocation
        procedure for future registrations? Does it suggest a
        reasonable name for the new registry? See [RFC5226]. If the
        document describes an Expert Review process has Shepherd
        conferred with the Responsible Area Director so that the IESG
        can appoint the needed Expert during the IESG Evaluation?

The IANA Considerations section exists, is consistent with the document,
and does not create a new registry or entries in an existing registry.

  (1.j) Has the Document Shepherd verified that sections of the
        document that are written in a formal language, such as XML
        code, BNF rules, MIB definitions, etc., validate correctly in
        an automated checker?

This document has no formal language to verify.


  (1.k) The IESG approval announcement includes a Document
        Announcement Write-Up. Please provide such a Document
        Announcement Write-Up? Recent examples can be found in the
        "Action" announcements for approved documents. The approval
        announcement contains the following sections:
      Technical Summary
        Relevant content can frequently be found in the abstract
        and/or introduction of the document. If not, this may be
        an indication that there are deficiencies in the abstract
        or introduction.
      Working Group Summary
        Was there anything in WG process that is worth noting? For
        example, was there controversy about particular points or
        were there decisions where the consensus was particularly
        rough?
      Document Quality
        Are there existing implementations of the protocol? Have a
        significant number of vendors indicated their plan to
        implement the specification? Are there any reviewers that
        merit special mention as having done a thorough review,
        e.g., one that resulted in important changes or a
        conclusion that the document had no substantive issues? If
        there was a MIB Doctor, Media Type or other expert review,
        what was its course (briefly)? In the case of a Media Type
        review, on what date was the request posted?

Technical Summary

    This document describes how a Certification Authority (CA) in the
    Resource Public Key Infrastructure (RPKI) performs a planned rollover
    of its key pair. This document also notes the implications of this
    key rollover procedure for Relying Parties (RPs). In general, RPs are
    expected to maintain a local cache of the objects that have been
    published in the RPKI repository, and thus the way in which a CA
    performs key rollover impacts RPs.

Working Group Summary

    The most contentious issue in the progress of this draft was an
    issue raised shortly after the wglc ended.  The issue was discussed
    vigorously on the list (between a small number of members) and a
    change in requirements level was made, but that did not totally
    answer the original commenter.  There was broad support for the
    draft during the wglc and consensus was not reached on the technical
    change suggested in this last discussion, so the document was progressed
    with the compromise requirement change only.  The member bringing the
    issue to the list is resigned to the outcome.

Document Quality

    This is another case in this working group in which a section of
    a document of long standing has been lifted out to be a draft of
    its own.  This draft had been a topic in the res-certs profile
    and was extracted when the working group was asked by the security
    ADs to provide a plan for algorithm agility and key rollover.  As
    such it has had the benefit of a long history of reviews of the
    parent document.