I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. The summary of the review is: Ready with Nits. This seems to be a useful incremental improvement to RFC 5280. The Security Considerations seem reasonable. The nits are minor and can likely be resolved as part of the RFC Editor process. Nits: * RFC3492 is listed as an Informative reference but section 2.3 (which modifies section 7.2 of RFC5280) is normative text that refers to it. (though not using an RFC2199 keyword) Arguably this might be OK because I think other normative references in this document transitively cite RFC3492. * RFC3629 is listed as an Informative reference but the new text in section 2.4 (which modifies section 7.5 of RFC5280) appears to refer to it normatively (about BOMs). Best regards, -Taylor