Return-Path: X-Original-To: acme@ietfa.amsl.com Delivered-To: acme@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AA0343A139D for ; Mon, 20 Apr 2020 17:13:17 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -15.699 X-Spam-Level: X-Spam-Status: No, score=-15.699 tagged_above=-999 required=5 tests=[DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6kU1cRa9DQHu for ; Mon, 20 Apr 2020 17:13:14 -0700 (PDT) Received: from mail-wm1-x331.google.com (mail-wm1-x331.google.com [IPv6:2a00:1450:4864:20::331]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 290493A139C for ; Mon, 20 Apr 2020 17:13:13 -0700 (PDT) Received: by mail-wm1-x331.google.com with SMTP id g12so1633764wmh.3 for ; Mon, 20 Apr 2020 17:13:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=qHHaqYyl1RpWo56DfBkFTIiRZE8Q+fWgOi2MxWh26+8=; b=soPfKK5tYbP1Vek2Ou7Zwt74hOToiRUVbE85Jq8aBwwq4Ut4OIa+JsttBcO5IrVw3R obmZP0Msrtscih2dOrcUZItixf2OKnpKd91lV9NpZZ22Re8E9GBEtOguRwBeWwhpDsAe EcY7EDBadlk0xwUicBUBBeNk4rTOCbKt87qAyWIcRy7kB6IsRxhzuOE4/nHRFZ48IXm1 P1al86jeqlm0tqyDHDaLW8dK3N++e0CSm4k4w1HxVPO1DO5rjI2JNRDhv+PPzgUG9c86 MS7WmmGJvmJeqo1by7xLnYsgzjYE3p6pkggVoQhtSNrjV34ldy9UxLdG6MQRosy776iB NHqw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=qHHaqYyl1RpWo56DfBkFTIiRZE8Q+fWgOi2MxWh26+8=; b=SoTCo4AKjpKrq20sSOvPCDc4fslGSFdF7kWOlYepsTi5KXaWt1MHLjskqwwDUEz93R 9deDDrAp+dq4AMP1FKCFVB3V14lHOfR3CW5s+MKO/+k/Amk/Ry/wxgQTwDwn+AekmIo7 Vqluvl/0opo7D+MEj5w4+TobBRpTegLMoVQ3baQzcgXw0DmGTshxm/GvSERuAEYJyX9I ofHtyFi7sz9xIQgYhkhNSDR1tbAqUTlyniVZNm2y+AsPdtVvXAYevDdc80wGsRe5mSjQ 5TRfAP2IJTeUEE8OhJIedyvoixgzGjYTa2WNfLhazOlv8mc9RrCvkHxp21h4WnznduQV cYTw== X-Gm-Message-State: AGi0PuYwsdnV6+BZE7O8f6lVRniUFKZAdTqY6zks6PByPwljafC2Kk/F LzbxiTrcGLRy4aBFguuUxLsVOFKkg634OuonsqF2zA== X-Google-Smtp-Source: APiQypL4fUUsMN64qKvorSVi0AyW37d+Ep7SB9yb7VlfPJpzl/QmvYLYRyekH80wp/aYAM9e04ZOQbiZmaU6M5RhZsI= X-Received: by 2002:a7b:ce8b:: with SMTP id q11mr1912544wmj.101.1587427992095; Mon, 20 Apr 2020 17:13:12 -0700 (PDT) MIME-Version: 1.0 References: <3703708B-4454-4AC9-87AF-961C73B1F331@akamai.com> In-Reply-To: From: Ben Schwartz Date: Mon, 20 Apr 2020 20:12:59 -0400 Message-ID: To: Alexey Melnikov Cc: "Salz, Rich" , "acme@ietf.org" Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="0000000000009bd5d905a3c1e100" Archived-At: Subject: Re: [Acme] WG last call for draft-ietf-acme-email-smime-06 X-BeenThere: acme@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Automated Certificate Management Environment List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Apr 2020 00:13:18 -0000 --0000000000009bd5d905a3c1e100 Content-Type: multipart/alternative; boundary="00000000000093986305a3c1e1d1" --00000000000093986305a3c1e1d1 Content-Type: text/plain; charset="UTF-8" On Wed, Apr 1, 2020 at 5:40 AM Alexey Melnikov wrote: > Hi Ben, > > My apologies for missing your email in March: > And mine for this delayed response. > On 12/03/2020 20:42, Ben Schwartz wrote: > > Section 3 says token-part1 "contains at least 64 bit of entropy", but > Section 3.1 says token-part1 "MUST be at least 64 octet long after > decoding". Is this difference deliberate? > > No, I obviously made a typo when saying octets. I will fix. > > Also 64 octets of entropy is a _lot_. RFC 8555 says "the token is > required to contain at least 128 bits of entropy". > > The draft seems to be oriented entirely toward use with e-mail clients > that have a built-in ACME-S/MIME client. I'm a bit disappointed that the > draft doesn't accommodate users with "naive" email clients very well, e.g. > by allowing customized subject lines. > > Actually, I was trying to accommodate naive email clients, but it was a > fine balance trying to specify minimal requirements. > > Can you suggest some specific text to change and then we can discuss > whether or not it should be done? My thinking about the Subject header > field was that I wanted to have a unique subject (so that ACME email > messages are easily findable). I also wanted to allow the token in the > subject for APIs that can easily access Subject and not other header fields. > In that case, I would suggest "... subject ending with "(ACME: )", where ...". That would allow the first part of the subject (most likely to be seen by a human) to be human-readable. Similarly, for Section 3.2. Point 6, I would relax the requirement to state that this block must appear somewhere in the body. That way, if the user sees the response message, it can provide some explanation of what is going on. For Section 3.1 Point 5, I don't understand why the body is restricted to text/plain. In particular, I think hyperlinks to explanations and instructions are likely to be helpful. I also wonder whether support for multipart/multilingual could be useful. The body is irrelevant to ACME-aware clients, so it seems like there could be a lot of freedom in how this is constructed. Most email clients automatically convert HTTPS URLs to hyperlinks, which should make the silly schemes I'm imagining possible, but not very attractive, for ordinary users. > Best Regards, > > Alexey > > I assume this is deliberate, perhaps because of a desire to use short-TTL > S/MIME certificates that would be impractical to provision manually, but > the draft doesn't mention a rationale. > > On Thu, Mar 12, 2020 at 2:52 PM Salz, Rich 40akamai.com@dmarc.ietf.org <40akamai.com@dmarc..ietf.org>> wrote: > >> This mail begins a one-week working group last call on >> https://datatracker.ietf.org/doc/draft-ietf-acme-email-smime/?include_text=1 >> >> >> >> If you have comments or issues, please post here. >> >> >> >> If anyone wants to be a document shepherd, please contact the chairs. >> >> >> >> /r$ >> >> >> _______________________________________________ >> Acme mailing list >> Acme@ietf.org >> https://www.ietf.org/mailman/listinfo/acme >> > > _______________________________________________ > Acme mailing listAcme@ietf.orghttps://www.ietf.org/mailman/listinfo/acme > > --00000000000093986305a3c1e1d1 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable


=
On Wed, Apr 1, 2020 at 5:40 AM Alexey= Melnikov <alexey.melnikov@= isode.com> wrote:
=20 =20 =20

Hi Ben,

My apologies for missing your email in March:


And mine for this delayed response.

On 12/03/2020 20:42, Ben Schwartz wrote:
=20
Section 3 says token-part1 "contains at least 64 bit of entropy", but Section 3.1 says token-part1= "MUST be at least 64 octet long after decoding".=C2=A0 Is this dif= ference deliberate?

No, I obviously made a typo when saying octets. I will fix.

Also 64 octets of entropy is a _lot_.=C2=A0 RFC 8555 says "the=C2=A0token is required to contain at least 128 bits of entropy".

The draft seems to be oriented entirely toward use with e-mail clients that have a built-in ACME-S/MIME client.=C2=A0 I&#= 39;m a bit disappointed that the draft doesn't accommodate users wit= h "naive" email clients very well, e.g. by allowing custo= mized subject lines.

Actually, I was trying to accommodate naive email clients, but it was a fine balance trying to specify minimal requirements.

Can you suggest some specific text to change and then we can discuss whether or not it should be done? My thinking about the Subject header field was that I wanted to have a unique subject (so that ACME email messages are easily findable). I also wanted to allow the token in the subject for APIs that can easily access Subject and not other header fields.

In th= at case, I would suggest "... subject ending with "(ACME: <token-part1>)",= where ...".=C2=A0 That would allow the first part of the subject (mos= t likely to be seen by a human) to be human-readable.

Simi= larly, for Section 3.2. Point 6, I would relax the requirement to state tha= t this block must appear somewhere in the body.=C2=A0 That way, if the user= sees the response message, it can provide some explanation of what is goin= g on.

For Section 3.1 Point 5, I don't underst= and why the body is restricted to text/plain.=C2=A0 In particular, I think = hyperlinks to explanations and instructions are likely to be helpful.=C2=A0= I also wonder whether support for multipart/multilingual could be useful.= =C2=A0 The body is irrelevant to ACME-aware clients, so it seems like there= could be a lot of freedom in how this is constructed.

=
Most email clients automatically convert HTTPS URLs to hyperlinks, whi= ch should make the silly schemes I'm imagining possible,=C2=A0but not v= ery attractive, for ordinary users.

Best Regards,

Alexey

I assume this is deliberate, perhaps because=C2=A0of a desire = to use short-TTL S/MIME certificates that would be impractical to provision manually, but the draft doesn't mention a rationale= .

On Thu, Mar 12, 2020 at 2:5= 2 PM Salz, Rich <rsalz=3D40akamai.com@dmarc.ietf.org> wrote:

This mail begins a one-week working group last call on https://datatracker.ietf.org/doc/draft-ietf-acme-email-smime/?include_text= =3D1

=C2= =A0

If yo= u have comments or issues, please post here.

=C2= =A0

If anyone wants to be a document shepherd, please contact the chairs.

=C2= =A0

=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0 /r$

=C2= =A0

_______________________________________________
Acme mailing list
Acme@ietf.or= g
https://www.ietf.org/mailman/listinfo/acme= 

_______________________________________________
Acme mailing list
Acme@ietf.org
ht=
tps://www.ietf.org/mailman/listinfo/acme
--00000000000093986305a3c1e1d1-- --0000000000009bd5d905a3c1e100 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIIPBgYJKoZIhvcNAQcCoIIO9zCCDvMCAQExDzANBglghkgBZQMEAgEFADALBgkqhkiG9w0BBwGg ggxpMIIEkjCCA3qgAwIBAgINAewckktV4F6Q7sAtGDANBgkqhkiG9w0BAQsFADBMMSAwHgYDVQQL ExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSMzETMBEGA1UEChMKR2xvYmFsU2lnbjETMBEGA1UEAxMK R2xvYmFsU2lnbjAeFw0xODA2MjAwMDAwMDBaFw0yODA2MjAwMDAwMDBaMEsxCzAJBgNVBAYTAkJF MRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMSEwHwYDVQQDExhHbG9iYWxTaWduIFNNSU1FIENB IDIwMTgwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCUeobu8FdB5oJg6Fz6SFf8YsPI dNcq4rBSiSDAwqMNYbeTpRrINMBdWuPqVWaBX7WHYMsKQwCOvAF1b7rkD+ROo+CCTJo76EAY25Pp jt7TYP/PxoLesLQ+Ld088+BeyZg9pQaf0VK4tn23fOCWbFWoM8hdnF86Mqn6xB6nLsxJcz4CUGJG qAhC3iedFiCfZfsIp2RNyiUhzPAqalkrtD0bZQvCgi5aSNJseNyCysS1yA58OuxEyn2e9itZJE+O sUeD8VFgz+nAYI5r/dmFEXu5d9npLvTTrSJjrEmw2/ynKn6r6ONueZnCfo6uLmP1SSglhI/SN7dy L1rKUCU7R1MjAgMBAAGjggFyMIIBbjAOBgNVHQ8BAf8EBAMCAYYwJwYDVR0lBCAwHgYIKwYBBQUH AwIGCCsGAQUFBwMEBggrBgEFBQcDCTASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBRMtwWJ 1lPNI0Ci6A94GuRtXEzs0jAfBgNVHSMEGDAWgBSP8Et/qC5FJK5NUPpjmove4t0bvDA+BggrBgEF BQcBAQQyMDAwLgYIKwYBBQUHMAGGImh0dHA6Ly9vY3NwMi5nbG9iYWxzaWduLmNvbS9yb290cjMw NgYDVR0fBC8wLTAroCmgJ4YlaHR0cDovL2NybC5nbG9iYWxzaWduLmNvbS9yb290LXIzLmNybDBn BgNVHSAEYDBeMAsGCSsGAQQBoDIBKDAMBgorBgEEAaAyASgKMEEGCSsGAQQBoDIBXzA0MDIGCCsG AQUFBwIBFiZodHRwczovL3d3dy5nbG9iYWxzaWduLmNvbS9yZXBvc2l0b3J5LzANBgkqhkiG9w0B AQsFAAOCAQEAwREs1zjtnFIIWorsx5XejqZtqaq5pomEvpjM98ebexngUmd7hju2FpYvDvzcnoGu tjm0N3Sqj5vvwEgvDGB5CxDOBkDlmUT+ObRpKbP7eTafq0+BAhEd3z2tHFm3sKE15o9+KjY6O5bb M30BLgvKlLbLrDDyh8xigCPZDwVI7JVuWMeemVmNca/fidKqOVg7a16ptQUyT5hszqpj18MwD9U0 KHRcR1CfVa+3yjK0ELDS+UvTufoB9wp2BoozsqD0yc2VOcZ7SzcwOzomSFfqv7Vdj88EznDbdy4s fq6QvuNiUs8yW0Vb0foCVRNnSlb9T8//uJqQLHxrxy2j03cvtTCCA18wggJHoAMCAQICCwQAAAAA ASFYUwiiMA0GCSqGSIb3DQEBCwUAMEwxIDAeBgNVBAsTF0dsb2JhbFNpZ24gUm9vdCBDQSAtIFIz MRMwEQYDVQQKEwpHbG9iYWxTaWduMRMwEQYDVQQDEwpHbG9iYWxTaWduMB4XDTA5MDMxODEwMDAw MFoXDTI5MDMxODEwMDAwMFowTDEgMB4GA1UECxMXR2xvYmFsU2lnbiBSb290IENBIC0gUjMxEzAR BgNVBAoTCkdsb2JhbFNpZ24xEzARBgNVBAMTCkdsb2JhbFNpZ24wggEiMA0GCSqGSIb3DQEBAQUA A4IBDwAwggEKAoIBAQDMJXaQeQZ4Ihb1wIO2hMoonv0FdhHFrYhy/EYCQ8eyip0EXyTLLkvhYIJG 4VKrDIFHcGzdZNHr9SyjD4I9DCuul9e2FIYQebs7E4B3jAjhSdJqYi8fXvqWaN+JJ5U4nwbXPsnL JlkNc96wyOkmDoMVxu9bi9IEYMpJpij2aTv2y8gokeWdimFXN6x0FNx04Druci8unPvQu7/1PQDh BjPogiuuU6Y6FnOM3UEOIDrAtKeh6bJPkC4yYOlXy7kEkmho5TgmYHWyn3f/kRTvriBJ/K1AFUjR AjFhGV64l++td7dkmnq/X8ET75ti+w1s4FRpFqkD2m7pg5NxdsZphYIXAgMBAAGjQjBAMA4GA1Ud DwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBSP8Et/qC5FJK5NUPpjmove4t0b vDANBgkqhkiG9w0BAQsFAAOCAQEAS0DbwFCq/sgM7/eWVEVJu5YACUGssxOGhigHM8pr5nS5ugAt rqQK0/Xx8Q+Kv3NnSoPHRHt44K9ubG8DKY4zOUXDjuS5V2yq/BKW7FPGLeQkbLmUY/vcU2hnVj6D uM81IcPJaP7O2sJTqsyQiunwXUaMld16WCgaLx3ezQA3QY/tRG3XUyiXfvNnBB4V14qWtNPeTCek TBtzc3b0F5nCH3oO4y0IrQocLP88q1UOD5F+NuvDV0m+4S4tfGCLw0FREyOdzvcya5QBqJnnLDMf Ojsl0oZAzjsshnjJYS8Uuu7bVW/fhO4FCU29KNhyztNiUGUe65KXgzHZs7XKR1g/XzCCBGwwggNU oAMCAQICEAGuEkclHdvQz4ddwMbsMFgwDQYJKoZIhvcNAQELBQAwSzELMAkGA1UEBhMCQkUxGTAX BgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExITAfBgNVBAMTGEdsb2JhbFNpZ24gU01JTUUgQ0EgMjAx ODAeFw0yMDAxMDcwODIyMjJaFw0yMDA3MDUwODIyMjJaMCIxIDAeBgkqhkiG9w0BCQEWEWJlbWFz Y0Bnb29nbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwrwIVY3rOZp1Papu Yl53bMQ2H713K9788lbE9itKEL7tJAJO7GqZGRbfxPUVRRDYPntAf+j0JZZOvf9Ye6uN12SNW+v1 V0o5YeXtXMpNOkprr0v0v7qc80yhbq8RIIiX4usDJwuDGbcL/VKnlCTDPRp+VWUB8rkaqObapi/F BGiPWXBqiT36W5opr6eJjUHuGiqzmK/1lCXMZSn6n3wkkbnonFsF5G4kfie+n/DDNd1hlqd06bzB rCnToS+BV/Y9BroXiOjVWJnMe/8Rce7zA8Dzr0kU+gacBArnMiDyCvUGjngbASU7VaIPJBc/zBzI L5QoeUAfgEJcGvFIEJUUIwIDAQABo4IBczCCAW8wHAYDVR0RBBUwE4ERYmVtYXNjQGdvb2dsZS5j b20wDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMEBggrBgEFBQcDAjAdBgNVHQ4E FgQU+WKCBtTdknJDbiAjMsikOsbLHoAwTAYDVR0gBEUwQzBBBgkrBgEEAaAyASgwNDAyBggrBgEF BQcCARYmaHR0cHM6Ly93d3cuZ2xvYmFsc2lnbi5jb20vcmVwb3NpdG9yeS8wUQYIKwYBBQUHAQEE RTBDMEEGCCsGAQUFBzAChjVodHRwOi8vc2VjdXJlLmdsb2JhbHNpZ24uY29tL2NhY2VydC9nc3Nt aW1lY2EyMDE4LmNydDAfBgNVHSMEGDAWgBRMtwWJ1lPNI0Ci6A94GuRtXEzs0jA/BgNVHR8EODA2 MDSgMqAwhi5odHRwOi8vY3JsLmdsb2JhbHNpZ24uY29tL2NhL2dzc21pbWVjYTIwMTguY3JsMA0G CSqGSIb3DQEBCwUAA4IBAQA2eHjHcJ8kaiqDQGv7TdNEBFiDI8omlzpnnuQFciHkWhkfi3mQwuuZ IQIHd+JNpV0TQ8TqMNAr4YSPWOjwTd3UNxm+qghV3KC9j/Ygq39OzUlqxWv2lFH8mGFpbview2GI xZWXTCRbeod3ZevhC0lOUVVx4NCHe5yWSwjEpZHUilSnjyqN7ssC0eYQBylFOf2xVxu1JB8Xewgw Vk/DeOzsapxxjiuw2UZsDZbtVJvEx/C34GkACLR4Lm0k6O5ujAiDBkyy2nklxLhmKb9fyiH51B3j oRE8y99FJOCHoye9E/P2tK12x9w9ZeF07eWAdX3OkhTne1DitwLidojuyFm9MYICYTCCAl0CAQEw XzBLMQswCQYDVQQGEwJCRTEZMBcGA1UEChMQR2xvYmFsU2lnbiBudi1zYTEhMB8GA1UEAxMYR2xv YmFsU2lnbiBTTUlNRSBDQSAyMDE4AhABrhJHJR3b0M+HXcDG7DBYMA0GCWCGSAFlAwQCAQUAoIHU MC8GCSqGSIb3DQEJBDEiBCCnIPbzX7H7m+VwwRwt3P8m5OLs27qVxRsEMFZK+WtA1jAYBgkqhkiG 9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0yMDA0MjEwMDEzMTJaMGkGCSqGSIb3 DQEJDzFcMFowCwYJYIZIAWUDBAEqMAsGCWCGSAFlAwQBFjALBglghkgBZQMEAQIwCgYIKoZIhvcN AwcwCwYJKoZIhvcNAQEKMAsGCSqGSIb3DQEBBzALBglghkgBZQMEAgEwDQYJKoZIhvcNAQEBBQAE ggEAN73fC3gRwikjVGdHj1RdCE8dsY3paTsGJNaGwcrFflDUxQiANS0+8WBlCSq7ICgRHwxJOQZa g2a9gze+3W6akx+uuAdeTqn69RHKI+3CrvTMYgXoTH3cPVGFSTpwuF4vknHolRVczzAIh5sK/fnv zoCtsPz15/Tyr+SLnXPJzq73ytsfSc98iiFdM24oTp6e1LmbtfWaICZT6cKLgB2JA1g9XqK3AfVa GEdmV8Fl3Yhtb/6kTHnCivJLjZoIDdLIP2XPFF6xT5gQRWBDOUkntqFtKVzZmeqkPJUVAII7XVtL gFRYhe/e6yGymn/aLDTwRWqTTKs6uMJ4dQM3+h1kEQ== --0000000000009bd5d905a3c1e100--