I am an assigned INT directorate reviewer for <draft-ietf-drip-auth>. These comments were written primarily for the benefit of the Internet Area Directors. Document editors and shepherd(s) should treat these comments just like they would treat comments from any other IETF contributors and resolve them along with any other Last Call comments that have been received. For more details on the INT Directorate, see https://datatracker.ietf.org/group/intdir/about/.

Please note that this particular document is really outside of my area of expertise [1].

Based on my review, if I was on the IESG I would ballot this document as NO OBJECTION.

The only issue/comment I have is on the use of the DNS indicated in the document:

   An Observer SHOULD query DNS for the UA's HI.  If not available it
   may have been revoked.  Note that accurate revocation status is a
   DIME inquiry; DNS non-response is a hint that a DET is expired or
   revoked.  It MAY be retrieved from a local cache, if present.  The
   local cache is typically populated by DNS lookups and/or by received
   Broadcast Endorsements (Section 3.1.2).

I think additional details would be helpful on the assumptions of the DNS security mechanisms that are assumed are in place for this to work (or to make this not subject of attacks).

The following are minor issues (typos, misspelling, minor text improvements) with the document:

- Expand DRIP in the introduction (it is done in the abstract, but I think it improves readability if done also the first time the term is used in the main body of the document).

Thanks,

Carlos

[1] I should have probably realized this when assigning this document to myself for review, thus I owe another apology.