I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG.  These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments.

The draft specifies an extension to the Automated Certificate Management Environment (ACME) protocol that allows to automatically issue and manage certificates for nodes in the Delay-Tolerant Networking (DTN) networks. 

Issues.

I was hesitating whether it is a real issue or just the lack of my understanding of the protocol, but finally decided to mark it as an issue. Section 5.1 states that CSR MAY contain a mixed set of SAN claims, including combinations of "ip", "dns", and "bundleEID" claims. However, this document only defines how ACME server can validate "bundleEID" claim. I think that the document should at least mention how "dns" and "ip" claims should be validated (pointing to the appropriate specs).

Nits.

The document uses both MUST and SHALL keywords. Not a problem, but I think readability of the document would increase if only one of these forms were used.

Section 7.6.
I think that it should be mentioned more explicitly that these channels must provide mutual authentication of ACME client/server and corresponding BP agents, and that the channels must protect integrity and authenticity of the messages, and in some situations (when client account key thumbprint is transmitted) also their confidentiality. These are standard security services and I think it's better to use these terms.