Document:   draft-ietf-pkix-crlaia-03.txt
Reviewer: Spencer Dawkins [spencer@mcsr-labs.org]
Review Date:  Tuesday 8/30/2005 5:30 PM
Telechat Date:  9/01/2005

Summary: this document is nearly ready for publication as a Proposed
Standard, but one question should be asked.

Overall - I'm not a security guy, but this document seemed pretty clearly 
written to me, and made sense. Nice work.

Question: 
----------
In Section 3  Security Considerations: 

Is there any more specific guidance that could be given about
how implementers "take into account" the possible existence described here?
Even a reference someplace would be nice.

     Implementers should take into account the possible existence of
     multiple unrelated CAs and CRL issuers with the same name. 


Extreme Nit: 
-------------
I apologize in advance for asking, but do we use abbreviations
in RFC titles? From 
ftp://ftp.rfc-editor.org/in-notes/rfc-editor/instructions2authors.txt:

      Abbreviations (e.g., acronyms) in a title must generally be expanded
      when first encountered.

Nit:
----

In Section 2.  Authority Information Access CRL Extension

This paragraph was a little harder to parse than it should have been:

   This extension MUST be identified by the extension object identifier
   (OID) defined in RFC 3280 (1.3.6.1.5.5.7.1.1), and the
   AuthorityInfoAccessSyntax MUST be used to form the extension value.
   For convenience, the ASN.1 [X.680] definition of the Authority
   Information Access extension is repeated below.

Could I suggest something like

   "This extension MUST be identified by the extension Object IDentifier
    (OID) defined in RFC 3280 (1.3.6.1.5.5.7.1.1), and the Authority
    Information Access syntax MUST be used to form the extension value.
   For convenience, the ASN.1 [X.680] definition of the Authority
   Information Access extension is repeated below."