IETF Logo Mail Archive

Re: [Acme] comments on: draft-ietf-acme-integrations-03.txt

Deb Cooley <debcooley1@gmail.com> Sun, 02 May 2021 11:05 UTC

Return-Path: <debcooley1@gmail.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 39F6F3A28A2 for <acme@ietfa.amsl.com>; Sun, 2 May 2021 04:05:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.848
X-Spam-Level:
X-Spam-Status: No, score=-1.848 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wUSYq52cupGY for <acme@ietfa.amsl.com>; Sun, 2 May 2021 04:05:31 -0700 (PDT)
Received: from mail-ot1-x32a.google.com (mail-ot1-x32a.google.com [IPv6:2607:f8b0:4864:20::32a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 20AB63A28A0 for <acme@ietf.org>; Sun, 2 May 2021 04:05:30 -0700 (PDT)
Received: by mail-ot1-x32a.google.com with SMTP id g7-20020a9d5f870000b02902a5831ad705so2576383oti.10 for <acme@ietf.org>; Sun, 02 May 2021 04:05:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=ZYKSqlTbFYngey48+sLPB+UnGSijjL4+nRnliO3LpDM=; b=CqdmN4CNsjLZl23vHKbdm28RLr8XAiH+dKkbcKgEw8dXfEZ80sBDv1ftO+0X3DWujL qf30Qbhuog5OG3aUk8gn34iAlZPW3BcMIYLesD5/KDvnNSIMLzVbZ+0jPRGnmIz2LwCG Ka+1l+utiA16UxuV6oCiSmYYCKKJuKVBl0emVMDHLXHkGdESpWJ95VfoA0UKbYx1172b s0hQuq6vesJhntekKbNYEJH3PT/8iKdTsxe1py+STk/0DI7XXAlMM62RJkSaOKcRCUca PhkGrU2QlwpkbWfh3C4+1yKUEC/d6aX5YOR5dJ+wSLN3hHD7U8GBJQl7jewMWvzYMJCM 0dmg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ZYKSqlTbFYngey48+sLPB+UnGSijjL4+nRnliO3LpDM=; b=BEPJcSnd9Ek18c/Bjv48EFqev4NHtfn/C3Bio3fsOgTSKFvIbRpcAfLKCgXQsJcvK9 0RdX6LE4k39tISiIHC1s8e0xH3zT6wgo8CaVi8/5jf1aC8sVLQeBXK5DYKLeQvGRpVx1 UIECqb/ZVOmIDuDRy42Ezah1K9k9enHH30QqChshPXBZftRhOYH7t4suGAJu2GijAK0i SYQ8fSSEG9HYmD/weYUV0v8GE4atgrUFHBu86LxnEaraGXJ6VlJ10e+3jOYkwdrHlzB8 /3iD+Y+V2I6MTOTVCi+RspH0svatY2u3aRc1sMShIhaeFY5yMhblIAHxR0u5A6cYk2hz z8Aw==
X-Gm-Message-State: AOAM5307yCU5vZvUyr9hErunY5gNgsJM1UHTaXETJ1NgrWd+GAsMeNJb pz/svfqK9n9OhzpUocN8Bz4xGHmE4M5P2AySS3TDOEM=
X-Google-Smtp-Source: ABdhPJxNRsDUDSjPDM47M/rWLCJhyrJUA1z5IMb4CAAXumYPeNLgl1c3hWHiYZ5CXY8YpzEPuAubxP2/lUpQz62Agv0=
X-Received: by 2002:a9d:7d83:: with SMTP id j3mr11261314otn.109.1619953528434; Sun, 02 May 2021 04:05:28 -0700 (PDT)
MIME-Version: 1.0
References: <CAGgd1Od3apxOznaSdBqg-y+Ut=amR3jPrzBdOXfzPV=AHq6Rww@mail.gmail.com>
In-Reply-To: <CAGgd1Od3apxOznaSdBqg-y+Ut=amR3jPrzBdOXfzPV=AHq6Rww@mail.gmail.com>
From: Deb Cooley <debcooley1@gmail.com>
Date: Sun, 02 May 2021 07:05:17 -0400
Message-ID: <CAGgd1OcxLxER68wM13FUmR+L5+qqOTVJPE+SEu3fBXRmbV_Oig@mail.gmail.com>
To: acme@ietf.org
Cc: "Cooley, Dorothy E" <decoole@nsa.gov>
Content-Type: multipart/alternative; boundary="0000000000009d743005c156d24f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/3GpealaeSdY7YTe_XFNqxa_yYJg>
Subject: Re: [Acme] comments on: draft-ietf-acme-integrations-03.txt
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 02 May 2021 11:05:34 -0000

Did anyone see this?  Or did it get lost in the shuffle?

Deb Cooley

On Fri, Mar 19, 2021 at 6:46 AM Deb Cooley <debcooley1@gmail.com> wrote:

> I thought this draft was pretty easy to follow, and I just have a few
> minor comments.  Note:  I am probably reviewing this from the point of
> view of an integrator (maybe?) definitely not as a device developer, and
> not as a CA developer.
>
> Section 1, sentence after bullets and Section 4, paragraph 1:  Section 1
> used “enrolment” while Section 4 used “enrollment”.  Pick one.  Use it
> everywhere.
>
> Section 3, 4 and 5 call flow:  both cases show the ACME CA returning a
> PEM, while the EST RA returns a PKCS#7 to the device.  Is this
> intentional?  Are you expecting the EST Server to convert the certificate
> from PEM to PKCS 7, and is the PKCS7 a .p7b or .p7c.  [note:  these are
> trivial conversions, but they are also very confusing to most people]
>
> From an architecture point of view, do you expect the EST Server to be run
> by the requesting organization?  Or by the CA owner – or is this not even
> possible?  [from a ‘domain control’ point of view]
>
> Again architecture:  If the EST Server sits in front of a large
> organization, then domain validation is more interesting, and the Get
> /csrattrs may or may not be able to recommend a SAN, right?  I can see
> that policy oids could be provided, if that is a thing in these systems.  [we
> use policy oids in US DOD, but that is possibly uncommon elsewhere.]
>
> Section 8.1, para 3:  What does ‘The cache should be keyed by the
> complete contents of the CSR’ mean?  The word ‘keyed’, I think, is the
> problem.  Maybe ‘indexed’?  Unless the cache is encrypted?
>
>
> Deb Cooley, NSA
>

v2.23.0 | Report a Bug | By Email