Hi,

I have been selected as the Operational Directorate (opsdir) reviewer for this Internet-Draft.

Document: Short-Lived Certificates for Secure Telephone Identity (draft-ietf-stir-certificates-shortlived-05)

Reviewer: Gen Chen

Review Date: 23.04.2026

Intended Status: Standards Track

Summary

Has Issues: I have some minor concerns about this document that I think should be resolved before publication.

This document defines short-lived certificates (valid for days/hours) for STIR, using ACME for automated issuance and mandating x5c in-band certificate conveyance to eliminate OCSP/CRL lookups. 

Minor Issues
- No "Operational Considerations" section presented, since carriers are mainly responsible with certificates request to ACME server and the running of STIR mechanism.
- Some descriptions in the document are not complied with the key words in section 2, this could make the readers confusing on what should be complied with.
(examples: "As an optimization, this specification requires the conveyance of the certificate chain for a short-lived certificate via the "x5c" JWS header element" in section 4, here the "requires" is suggested to be replaced with key words in section 2)
- x5c is standardized in JWS (RFC 7515) but its use with short-lived certificates in high-volume SIP networks is unproven at scale. There is no clarification on the performance risks involved.

Nits
The document didn't specify reasonable default values for critical parameters, such as:
- Certificate lifetime: Vague ("days or even hours"). No default or recommended value
- ACME pre-fetch window: how long before expiry to request renewal
- Retry policy: Aggressive retries overwhelm CA