I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. The summary of the review is ready. From the abstract, this document obsoletes RFC 4210 by including the updates specified by CMP Updates RFC 9480 Section 2 and Appendix A.2 maintaining backward compatibility with CMP version 2 wherever possible and obsoletes both documents. Because this document is the product a security area working group, I assume the security considerations have been extensively reviewed already and that this secdir review is largely pro forma. I confirmed that the security considerations section consolidates the security considerations from RFC4210 and RFC9480. There is one new section added: "8.1. On the Necessity of Proof-Of-Possession". I think the RFC editor may suggest an update, but I'll comment anyway - the second sentence says, "If an entity holding a private key obtains a certificate containing the corresponding public key issued for a different entity, can authenticate as the entity named in the certificate." I think this might read more smoothly if you add "it" before "can authenticate".