I am the assigned ART-ART reviewer for this draft. Please treat these
comments just like any other last call comments.


Document: draft-ietf-suit-update-management-10
Reviewer: Russ Housley
Review Date: 2025-12-18
IETF LC End Date: 2026-01-02
IESG Telechat date: unknown

Summary: Almost Ready


Major Concerns:

Section 4.4.1: Versions numbers follow [sember], but this sections
imposes an additional requirement that the release version be a
sequence of 1 to 3 positive integers.  [semver] allows zero for the
major, minor, and patch numbers:

   <version core> ::= <major> "." <minor> "." <patch>

   <major> ::= <numeric identifier>

   <minor> ::= <numeric identifier>

   <patch> ::= <numeric identifier>

   <numeric identifier> ::= "0"
                       | <positive digit>
                       | <positive digit> <digits>

Sections 4.6 and 5.1: These use "must" in statements about a parameter
already being set. I think these statement ought to use MUST.


Minor Concerns:

Section 3.2 says:

   However, Recipients MUST NOT fail if a suit-coswid is present.

This statement contradicts the requirements in Section 1, where it states
that all of the extensions in this specification are OPTIONAL, and that a
Recipient that encounters a command or parameter it does not implement
MUST reject the manifest. This MUST statement requires all implementations
to recognize suit-coswid, so it is not OPTIONAL.


Nits:

Section 1:
s/Software Bill of Materials/Software Bill of Materials (SBOM)/

Section 1:
s/[I-D.ietf-suit-manifest] Section 8.4.2/Section 8.4.2 of [I-D.ietf-suit-manifest]/

Section 3.2:
s/Software Bill of Materials/Software Bill of Materials (SBOM)/

Section 4.6:
s/sections 8.4.10.4, 8.4.10.5, 8.4.10.6/Sections 8.4.10.4, 8.4.10.5, and 8.4.10.6/