Re: [Netconf] Benjamin Kaduk's Discuss on draft-ietf-netconf-zerotouch-25: (with DISCUSS and COMMENT)

Benjamin Kaduk <kaduk@mit.edu> Mon, 14 January 2019 22:12 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 31E1A1313C2; Mon, 14 Jan 2019 14:12:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mit.edu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Z76mNwESWCzq; Mon, 14 Jan 2019 14:12:05 -0800 (PST)
Received: from NAM03-CO1-obe.outbound.protection.outlook.com (mail-eopbgr790092.outbound.protection.outlook.com [40.107.79.92]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2AA341313BE; Mon, 14 Jan 2019 14:12:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mit.edu; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=SLnPQ9/b6u5KvvfwgIUC9YIu2bMkuQr8TkjvJvmmA8c=; b=Wm7+aeq6+MJGhtCSDWq7mbDwhXpaRfdjdzfrQcd+iumJIqQJ3jiUgqS863cPSGHou9KiMp7RpygmAkb0l3MW/oY77kVRvZDvL3itiMjY8De81IXtmDygmOkzOBjPI/oEb4EAQKgy9xrf83Fza5msh8vnBnvsOiHkwYWpUYCTOLI=
Received: from SN2PR01CA0028.prod.exchangelabs.com (2603:10b6:804:2::38) by DM5PR01MB2265.prod.exchangelabs.com (2603:10b6:3:8::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1516.15; Mon, 14 Jan 2019 22:12:03 +0000
Received: from BY2NAM03FT031.eop-NAM03.prod.protection.outlook.com (2a01:111:f400:7e4a::201) by SN2PR01CA0028.outlook.office365.com (2603:10b6:804:2::38) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.1516.13 via Frontend Transport; Mon, 14 Jan 2019 22:12:03 +0000
Authentication-Results: spf=pass (sender IP is 18.9.28.11) smtp.mailfrom=mit.edu; ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=bestguesspass action=none header.from=mit.edu;
Received-SPF: Pass (protection.outlook.com: domain of mit.edu designates 18.9.28.11 as permitted sender) receiver=protection.outlook.com; client-ip=18.9.28.11; helo=outgoing.mit.edu;
Received: from outgoing.mit.edu (18.9.28.11) by BY2NAM03FT031.mail.protection.outlook.com (10.152.84.216) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.1471.13 via Frontend Transport; Mon, 14 Jan 2019 22:12:02 +0000
Received: from kduck.mit.edu (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id x0EMBuug004578 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 14 Jan 2019 17:11:58 -0500
Date: Mon, 14 Jan 2019 16:11:56 -0600
From: Benjamin Kaduk <kaduk@mit.edu>
To: Kent Watsen <kwatsen@juniper.net>
CC: Adam Roach <adam@nostrum.com>, Dave Crocker <dcrocker@bbiw.net>, Alexey Melnikov <aamelnikov@fastmail.fm>, The IESG <iesg@ietf.org>, "draft-ietf-netconf-zerotouch@ietf.org" <draft-ietf-netconf-zerotouch@ietf.org>, "netconf-chairs@ietf.org" <netconf-chairs@ietf.org>, "netconf@ietf.org" <netconf@ietf.org>
Message-ID: <20190114221155.GL28515@kduck.mit.edu>
References: <cc5adc78-6751-fabf-03d2-e0c65f8a6c91@bbiw.net> <F844EDFB-3E15-47FB-A714-06363B996FC2@juniper.net> <42cddba1-9f59-f19f-176f-197f0c0c0c96@bbiw.net> <32cfe06c-8204-a63a-263d-cb5b30a7a2fc@nostrum.com> <20190110183444.GN28515@kduck.mit.edu> <0CDD631D-47A4-4478-A250-85603C653D23@juniper.net> <f9e64452-a2e1-fb18-80b1-b2c5fa9c54ac@nostrum.com> <3ABB2B04-DB2C-4E2C-86C7-40D83D440DFB@juniper.net> <20190112005406.GU28515@kduck.mit.edu> <A1F059FB-5229-45B9-9EBB-CF60B78FF454@juniper.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <A1F059FB-5229-45B9-9EBB-CF60B78FF454@juniper.net>
User-Agent: Mutt/1.10.1 (2018-07-13)
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:18.9.28.11; IPV:CAL; SCL:-1; CTRY:US; EFV:NLI; SFV:NSPM; SFS:(10019020)(39860400002)(396003)(346002)(136003)(376002)(2980300002)(189003)(199004)(40224003)(356004)(7696005)(486006)(1076003)(229853002)(75432002)(316002)(55016002)(76176011)(47776003)(336012)(426003)(97756001)(106466001)(1941001)(966005)(46406003)(6306002)(186003)(26005)(53416004)(23726003)(50466002)(6916009)(58126008)(478600001)(8676002)(88552002)(246002)(11346002)(446003)(54906003)(2906002)(14444005)(106002)(8936002)(26826003)(476003)(126002)(16586007)(956004)(305945005)(93886005)(33656002)(786003)(4326008)(6246003)(104016004)(36906005)(86362001)(5660300001)(18370500001); DIR:OUT; SFP:1102; SCL:1; SRVR:DM5PR01MB2265; H:outgoing.mit.edu; FPR:; SPF:Pass; LANG:en; PTR:outgoing-auth-1.mit.edu; MX:1; A:1;
X-Microsoft-Exchange-Diagnostics: 1; BY2NAM03FT031; 1:07vqWLBEgMqUdpdFonkU8BZqCMkUfP13+UgsxzeDpH9LOSnlcMW3szXcApxvp+VGXikWvwuK7qyvZeWn3izeQhqhOW6Vy2E7UP4tXYBo4i5hr1bIiHb9NWkj3lGfqn7j
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 88027ffb-5052-4f60-b1a3-08d67a6d4fd9
X-Microsoft-Antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600109)(711020)(4608076)(4709027)(2017052603328)(7153060); SRVR:DM5PR01MB2265;
X-Microsoft-Exchange-Diagnostics: 1; DM5PR01MB2265; 3:stZuPCQ0jKBI9SvKxHEkrplIedioAEJqwPWJe4d+k/wMWg1AXGtP3Cm9Y0x4RTqBHR1coIaAJxzHyp8VBI2vCYor/Z4/Wpl86oFGAL1xrCh4HMGrKy0nn6M6XWoYw+7862q0gBjLq/NYwr4YkErdGEIMXHs/Sv8bXOcgRukMEzpYoFGhdW0SKtbHvqPNjPyWa+CpNx24WtfCQKsu2oI1sPA3k6/eLA+/CdVS0SqQo8aoPAhX9sm8zpNoiLaVc39/Ndh0G3XlDMVny5t9c3/ma3V2eFBD+dQk/POQDREGQWM+N/N2KWZ60E8XT6O269EN4Z0UJoaqI9anKYwK6FEki4NgxlKVIHon+Gl98lSVRYU5lDpo6NCIoBSpSG201uRJ; 25:n+5B8QWmBMHshkPqA8JuUi+n9frr3IG3pSc5NzkKxVJFRIBHntg/MZ6+Fay7ykoOrfu7wZR8x/ToWmpBoCPjvc9zTw+O989zGrr8TGExgZGFuMsyHkFhZfur7yaHPEhuxZ8ZmUQ+jdtnsU4EueABFdqtYlQx1/D4aSkahxoQH90huuCYeIV8Yxbte+7F/HcdT1fFfoY98NW9qdfP0QsL8D2ht+TTpZUfi7yLRg2ONuE6AQHKLUnkNvXc9qtz11HeSelAq4ouKQo9Cz83GnqIIxl4NQ/74RC0GL2SWHFCVarGCOje4YqBB9Uo1i7Q08Ef8f6ylJliz+MgdzZeUAbQYA==
X-MS-TrafficTypeDiagnostic: DM5PR01MB2265:
X-Microsoft-Exchange-Diagnostics: 1; DM5PR01MB2265; 31:xxZST5brx8qhWHozXn2zz+KFz2AqxIt3op0fRvwc9wFieIjdgYa6nlfSghnXrF8XgvH89S3Z/cfisxliZ5Y39pVSYQaAoyqKF8FLyTs3IHC4rDqcq7UhP+6ubW65W+7eMxb7yvVUGRFfBmtdn6vDymyeu5OKwK+AaGbSg9V0g0ys28HGfsfrCua3RoEB0/Mdgmk48xZEj8oNqPhh3Nzty4JsXMG6DT2Sbhe6Fh6ncts=; 20:LrtrnUtNVHFsS9sh1YP3qvxV0xKVJ6D7GM/VVrVc2vsakfMNHCtLDRApaBvEwmejrzhY4RqQm0ydI1R06YCZD5qCmeLJevNq0IT5Yz7MdQUwOEnlr7uuSCqIQz9ZpZBpUWtZ6iz6fogRvCQbPovalNh+aF9xIpnjkdsOx3oDA1cIBqEhhyTzw6B4H8wKBmVAHjIPY1V9pkqo+7SGmkmxpiMsVpOaKAnn12ZFbGay3YSL2Dt6iGTY9OWeDHZtaPgB7rgM+3RQADscqAmNkoKLIeAndAT48tJ5Ozyh5j+Kn7yGptMNI01s5GdE6+SdEawUTIpqwAErfH/S43rmk4fXL9VQvABtBOFQK8PYOprQOgefplQq+VWQdrauhXRoG27NgWPLmxLNaRHclVfblOnKSMKlEIIU6q5YqiGvK6xlqrTXIFKxr9pU6BNzE+UOOjkH4W2dxdr+wCN4zFWSUEX88u+GA2pdxDrSE2ExzzZaLd5vBxQeXv96lcUVOQSZcZ8ZH9pUs57HSjHhlXr9c2YbipwTw3ADf6ODqUPmSIivTWiNwMD0QrDdjcat4NnsFjPkf+quX8S5UZSml+ibSxKIi5R1TrWKA+wjL6/TshR0fDI=
X-Microsoft-Antispam-PRVS: <DM5PR01MB22650541E5618067330E71E1A0800@DM5PR01MB2265.prod.exchangelabs.com>
X-Microsoft-Exchange-Diagnostics: 1; DM5PR01MB2265; 4:445TT9FijNLUw2ET7XI8RSA2JoMNEyT9gI0ghoEjnRaA+7qrJRKsj3433Qq6PdrIeVmO35xBOTEo3YXxpQGNzV1CLYh9lbqBKS2icduI0//IWdO08xjcG0BesYiRmXq35gYkyA+6Pb3rN9kdWCx/GJmGflUeJ/z7f6KTx+Kykk0bFWq+hHqlOkaE8wRhF0jNsASGlPQPiBcL8gtl67mtW0lpDhw4M5ftuzwoNoe9stdHvJ/p3l+lSn4rn+Njm4IzQmvM+oFEP6mz1X78krg/uQdXZgaR4rd1HPZgWXZDGhYqVDmbjUWPYyqWnihhYk50
X-Forefront-PRVS: 0917DFAC67
X-Microsoft-Exchange-Diagnostics: =?us-ascii?Q?1; DM5PR01MB2265; 23:pneRsXN85rNmxUB/zrW/o9w8ZrwCkq759tVa+OGjS?= =?us-ascii?Q?HiwLKAHpdZW77LB4VYMspBHonBx3c0LNUT+9+OIC95PGXcIZFnGwiHGviFvn?= =?us-ascii?Q?BLNLZ3zmDAVM4i3JrYrai8vyUJDvDG+6boThmmLWH+QziL6TGiuSYB7/4ioN?= =?us-ascii?Q?Rtze2mUYbdPPv+1WDZpbpNDgj3fmBj29mFFlnLcoOT2MZuSAU2S0fSD1wIZF?= =?us-ascii?Q?RcK531P485EfSWVWLtLbxtmNvL244O69qBeV8/QAWy39UL4SICOmiB6wcdyh?= =?us-ascii?Q?amdX/pr1ng40BuAHWCaDuHHs/3KuUy1VJc0qDAepL5CMGjrYoWxewRlvzGqV?= =?us-ascii?Q?FaRXQgp6MlISXgtqmsbhFpbVo3R6Msahq8eMUJjAskXWqBgWqRfBi59EIUuu?= =?us-ascii?Q?OgMNfXgYCCUwRzRU6KolsOpql0d2TCsmZL2V/SXTexOLOj50ACsdLiLYJziR?= =?us-ascii?Q?GXfR7usf3bV0o8X5NjsZLdxtHEONoA7SxCWKCZpSv6Xe5cDimcxK5thV7iF/?= =?us-ascii?Q?RHNbdb0Gzv0sJf8iPuNbwoEJ+AgGJb7r5NKLgZdVXnNBT325zD80on6qyQ1z?= =?us-ascii?Q?bYpntZWqQyhcsHJWaKISZUGh4Lbmkb4gQZRjC0CnK4uDfo07gcYWFqvoaztG?= =?us-ascii?Q?ld23xVD7HJQBSMNitGsSOTDxxENqe8+LsiuKW7v2l0TuhIPtLabICR98nof0?= =?us-ascii?Q?yQiKVkW67OqQ3i5UwzejEZM+rz6ilpo4b+G60BDvcawLKmBR5OGM8KkhPOuZ?= =?us-ascii?Q?6J55zXfO5xbwWa7FseBwlpWg2GLZmTmUh9n8bgDje6GLyPAJV8IC+Sh0AIKi?= =?us-ascii?Q?LVkir/0ijuQptJHKIGTgZBpK0r2AuBA2iPsnWFhpBoJQ452A9EPSZiSbrucy?= =?us-ascii?Q?81lFfcMW0aIuVwhjoqQ/Rybk6X20g0M6RrZsbotwJeU63O2EGUHr+AiB7Sm0?= =?us-ascii?Q?z4UIMcRL4ggn/WgIuimQbz0H38VA49oGmzajVxSSE+B+bCXzs47lTyVlGaKS?= =?us-ascii?Q?lMaC+wwRZqrw7/AVThGCIn3ad8DBBaco8nBPmA1BCfGx3FizsExN88OTs7wU?= =?us-ascii?Q?rkhPEe+4HZKWvihxoXJBD+iGhu5/XkMuiZ2CGzV1Asz1czXYLZFAKbmBKJ1M?= =?us-ascii?Q?jXLs9nSRu8/mKO8TJPzn1yUQkyhQncs0zFuesHQDCYPd86NHkPOPBpjqqJT7?= =?us-ascii?Q?2ZkoyS6zXKkQoVF28iDkHD48cDGq0VaXFmp6cOaE3Wti7lyb3IWMwXbOvOci?= =?us-ascii?Q?CaXqEp06jldrkppzI1cTfJYJCjfqNR+xdlUACOyjjteq8/xDICsv/C6F3bSF?= =?us-ascii?Q?syR47RrQqFh15XZWNVlOmE=3D?=
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Message-Info: rLt2M5o+hBMT0/CIZeVzyu6+IsZFW0alEkFmyGdOp7NmH7U7zIcjpQGG17P9ov0Z/hBtBxxN0G2rtwDdzfFDCFTj+6i8blIVQ8cF/syGs+FQLH4Kw818LLJEhF36TT0fOtujypvhPz8mMBLVhQrCXfpxx6rRt1TYV6IhZVYajn1za+ei7ILWb8hK4iIMihk5kechRBhNpvGGoNWzpqeUHnlsa4qeYfXCdrhFD+MwvnDM3Zd9C45fYPwcUuCrb0hSBBD15Icg0kEAAYl0QEjD2/vpgyh93fyYVFPXgjB4B3JKE36mXyeP1T/2eh9QJ4W5AjTWOa8mfQty+qThfWj7LQRG3Skicu5qNpbfrjYUVR0pyZPe1wAABeWN62YvorHF2+lvJ0nkztoXTT9tr64/0+wMc1PUOmMPZw7LQLsfxxs=
X-Microsoft-Exchange-Diagnostics: 1; DM5PR01MB2265; 6:063j06M0lCyhCns/LcPGX8W35LARbpF6HYynwUcr8Av78r6ig6uCyzS7sVx2WqRTvBd6w+GfuRT7R0QbuCcXBed/37/zyOhJpFWtLZ0WGYMUWqmQO11LiSoCihG+ZorUqQMANM6Sw9F7yFijsa1G4CD99/uzEulgcMLPoaOqjy3cPtMlIeyQFzU3+ONJAEtUK4fEalWzPstj9vH7hxD9hx0xSYFS0z1kQ/kxz1vv3tY51Mhqnka1zYkGPQIpjL7dMmAl71Ba44dVwTjBsPiZwO+7yw7iyyEwWOvNmurrM0N2+3YgXxwP7VkHRXhp2wxJmtsGYgrK4obqv0CJW42rl8ZKde1p2uqc4e4xNaF0AtSmsdFyJGQGRtRj2jWAvLWtCr4sMmQoGqGnL4gbie1DBxF/qui0daFz+5z34p02ve88VP+aZJBzDnZtJyj3aHZ9r9xeR+KwszJsHUJRkMzEVg==; 5:nqbP/25Deil5UB3OnzzBzLPL/V8fgif8wRMHwWvGEZS0V3ZAqmQmHg6DNp0ItMvIsm8XRzyIWIRD55MLSvX5oNk4luxQtFdK+Kpx46BQU1XCppLd49RkOrIoQVbBkbWrATU+d/6bt8YTauVWTovTXJLGDEpLVBZx96Fzz9s2n3QKC/ck1Vt0Pcj2mWy2BXhV4ci9ufyFSY1iI8F5x1EWxA==; 7:KopOOQ+vbI/SLfgTef/X3wc8kBu9pMITjG2PMaGjS/3D/BlVX//X4MEr/zpjR5Tb3poAHz8n4gJ5K1pXhm4xNBaTyklTDzor9LbX4J+Iz0EY4zPR1wbgbLAQ7TnD+3asteZJG3Gz76g42TsTv2Yyfw==
SpamDiagnosticOutput: 1:99
SpamDiagnosticMetadata: NSPM
X-OriginatorOrg: mit.edu
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 14 Jan 2019 22:12:02.4975 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 88027ffb-5052-4f60-b1a3-08d67a6d4fd9
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=64afd9ba-0ecf-4acf-bc36-935f6235ba8b; Ip=[18.9.28.11]; Helo=[outgoing.mit.edu]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR01MB2265
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/8iwsNLd9IC1YvmEBmywZxeMtoM0>
Subject: Re: [Netconf] Benjamin Kaduk's Discuss on draft-ietf-netconf-zerotouch-25: (with DISCUSS and COMMENT)
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Jan 2019 22:12:08 -0000

On Mon, Jan 14, 2019 at 08:43:28PM +0000, Kent Watsen wrote:
> Hi Ben,
> 
> >>   I just posted -28 to address this last COMMENT.
> >>   Please review to see how it can be improved.
> >> 
> >>   The draft no longer says it uses DNS-SD and it
> >>   now registers "_sztp" in DNS Underscore Global
> >>   Scoped Entry Registry.
> >>   
> >>   Here's a direct link to updated/new sections:
> >>    - https://tools.ietf.org/html/draft-ietf-netconf-zerotouch-28#section-4.2
> >>    - https://tools.ietf.org/html/draft-ietf-netconf-zerotouch-28#section-10.7
> >
> > Thanks, this seems to be a fine resolution of the issues.
> 
> Great!
> 
> 
> > While looking at the diff, I managed to confuse myself as to where it is
> > specified how the device serial number is encoded in the identity
> > certificate (so that we are confident that that encoding is usable as a
> > DNS label).  Am I correct in assuming that that's in 802.1AR?  (Also, the
> > URL in the -28 gave me a 404, and I ended up at
> > https://standards.ieee.org/standard/802_1AR-2018.html by searching.)
> 
> Yes, that is the correct URL.  I've fixed it in my local copy.  The 802.1AR spec is behind a paywall, but it says this about the serial number:
> 
>   An IDevID certificate subject field be non-null and should
>   include a   unique device serial number encoded as the 
>   serialNumber attribute(RFC 5280 X520SerialNumber).
> 
> From RFC 5280:
> 
>    X520SerialNumber ::=    PrintableString (SIZE (1..ub-serial-number))
> 
>    ub-serial-number INTEGER ::= 64
> 
>    The character string type PrintableString supports a very basic Latin
>    character set: the lowercase letters 'a' through 'z', uppercase
>    letters 'A' through 'Z', the digits '0' through '9', eleven special
>    characters ' = ( ) + , - . / : ? and space.
> 
> Any comments/concerns about this?

Sigh.  There could be some excitement here (but might not be), but I think
I'm going to have to defer to some people with more DNS (and X.500)
expertise.  There's several potential (but not certain) issues here,
including at least:

(1) ub-serial-number is 64, and the maximum length of a DNS label is 64
octets, so we have no room for escaping or encoding at the margins.

(2) RFC 1034 suggests that DNS domain name comparisons should be performed
in a case-insensitive manner (for alphabetic ASCII a-z/A-Z), but that
labels themselves can contain arbitrary octets.  There is some placation
here in that X.520 appears to define the Serial Number attribute should use
a caseIgnoreMatch equality matching rule, so maybe this is a non-issue.

(3) Those extra characters (other than '-') are not allowed in DNS host
names.  AIUI, that technically shouldn't be a problem for this usage, but
I'm not 100% confident, and maybe some implementations are wrong.

(4) Using '.' in a label is pretty rare and require escaping for textual
presentation (but this is not inherently a fatal flaw and would not hit the
64-character limit on label length).

But on the whole, the question I want to ask myself here is along the lines
of "how likely is there to be implementation incompatibility in this
space?".  If serial numbers in practice are not using the full flexibility,
this could still be a non-issue.

> 
> PS: I'll defer publishing the update until sure nothing more is coming.  
> 
> PPS: Looking at Datatracker, all items are cleared and the summary now says "Has enough positions to pass".  Out of curiosity, how does the document progress to the next state - is it the Responsible AD pushing a button of some sort?

The next step is the responsible AD informing the Secretariat that the
document is approved.

-Benjamin