Re: [Acme] Alexey Melnikov's No Objection on draft-ietf-acme-acme-14: (with COMMENT)
Richard Barnes <rlb@ipv.sx> Wed, 29 August 2018 15:03 UTC
Return-Path: <rlb@ipv.sx>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8EBAB130E8E for <acme@ietfa.amsl.com>; Wed, 29 Aug 2018 08:03:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, T_DKIMWL_WL_MED=-0.01] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hcY7Ax26DEwV for <acme@ietfa.amsl.com>; Wed, 29 Aug 2018 08:03:45 -0700 (PDT)
Received: from mail-oi0-x22b.google.com (mail-oi0-x22b.google.com [IPv6:2607:f8b0:4003:c06::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6FE22130DF6 for <acme@ietf.org>; Wed, 29 Aug 2018 08:03:42 -0700 (PDT)
Received: by mail-oi0-x22b.google.com with SMTP id k12-v6so9677706oiw.8 for <acme@ietf.org>; Wed, 29 Aug 2018 08:03:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=JhqyM0Ui9PLxUETjFDt5hP/hDU4g0UCUzm6Z4fe4SbI=; b=IxaILMZiyydDhOlDImG5Tf9jOIY9TQ3Mr1AxQxbC8KDxAgFm/v50mTff6Bu+yrSkpU KyB2c5vniOuQZF0iVn5F/R2DW48W+9FGPsyVyTaa3LoqnNlDHnfMqvysKIAxJ9CYs0sq GBAK5Rg4sMZY2Bxy4xwBkMxVjvse3IIfxJrjjZMxaMwKAzyBYJ3XUQ5TRaoccSdrEUwt zcLfLwzjEGdR/sC0PTKytHujH/K3BFN0ROC2k63+YMhcaFyn95pcyjQh85RBKaXm6fN1 6+C+1VyWR/bJthBgkPwEoaAh8U8R56uJfxqE1hRXbt3Jlio9wzADv8RSIoydbvKCCiS4 0SxA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=JhqyM0Ui9PLxUETjFDt5hP/hDU4g0UCUzm6Z4fe4SbI=; b=tUSdDaWCc9JhVpLZunfnRsucg5RV4QQSY//dcHx7MF6UAk5xhfUk0cgI9yxDxpimks E9bvTaKvkiSN0IvBSCJvroRLP7AnVWpXaoQCIq2gJM9aGLFejhpQHWM+qt73eoboqiCD iV81hkr8JQWW8gE4HVAIE9QLNSfvXWa4mZuwVQ9U2duaD3NbsDPJXT8hOZxHCV1urL2y Ci5Y6N+l84lRAWAf6gm+iYrS+C7F417t/uRqUCDYLXGcssEWEAbGP1kQ7a7w0zbbxg9P G8Gi0u8re4guw45tPyDwtrzVo/BOswZ+qMJGNNlJXllDZoP1EbB+q8BV1DCkuLfFpsMJ x2Qw==
X-Gm-Message-State: APzg51ApqskcBuQo1vEfJll/uyc44xIiDW36upg60O7f04SvY/ni2OSn khcSo4gjiE1GxGVJfVfqryxaUhmUDvyYmp9A/iJYMQ==
X-Google-Smtp-Source: ANB0VdbIvxNlmVGtTyLHZOMtmNuBVoLI9hJaD0S5V/ep8qH3gSZq9dUw5U8qHf9Vquf1/PtLQ8VfS3uoy+9TepNixHI=
X-Received: by 2002:aca:6b87:: with SMTP id g129-v6mr2964827oic.88.1535555021481; Wed, 29 Aug 2018 08:03:41 -0700 (PDT)
MIME-Version: 1.0
References: <153554127552.14913.5752261334380280625.idtracker@ietfa.amsl.com>
In-Reply-To: <153554127552.14913.5752261334380280625.idtracker@ietfa.amsl.com>
From: Richard Barnes <rlb@ipv.sx>
Date: Wed, 29 Aug 2018 11:03:23 -0400
Message-ID: <CAL02cgRZsexAbNhwb08ROxTSYLqpJEJv2D9-s-sdkZx6SumPOg@mail.gmail.com>
To: Alexey Melnikov <aamelnikov@fastmail.fm>
Cc: The IESG <iesg@ietf.org>, draft-ietf-acme-acme@ietf.org, Yoav Nir <ynir.ietf@gmail.com>, "<acme-chairs@ietf.org>" <acme-chairs@ietf.org>, IETF ACME <acme@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000096d9170574944364"
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/41pQ2OOoDbVs9XvfMMeEbpGOKJ0>
Subject: Re: [Acme] Alexey Melnikov's No Objection on draft-ietf-acme-acme-14: (with COMMENT)
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Aug 2018 15:03:48 -0000
Hi Alexey, Thanks for the comments. A couple of replies are below; resulting edits are in this PR: https://github.com/ietf-wg-acme/acme/pull/442 --Richard On Wed, Aug 29, 2018 at 7:14 AM Alexey Melnikov <aamelnikov@fastmail.fm> wrote: > Alexey Melnikov has entered the following ballot position for > draft-ietf-acme-acme-14: No Objection > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut this > introductory paragraph, however.) > > > Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html > for more information about IESG DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-acme-acme/ > > > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > Thank you for this very important document. I would like to switch to > "Yes", > but please first review and respond to my comments: > > First mentions of JSON and HTTPS need references. > > 6.4.1. Replay-Nonce > > The "Replay-Nonce" header field includes a server-generated value > that the server can use to detect unauthorized replay in future > client requests. The server MUST generate the value provided in > Replay-Nonce in such a way that they are unique to each message, with > high probability. For instance, it is acceptable to generate Replay- > Nonces randomly. > > The value of the Replay-Nonce field MUST be an octet string encoded > according to the base64url encoding described in Section 2 of > [RFC7515]. Clients MUST ignore invalid Replay-Nonce values. The > ABNF [RFC5234] for the Replay-Nonce header field follows: > > base64url = [A-Z] / [a-z] / [0-9] / "-" / "_" > > This is not correct ABNF. Change range syntax in Section 3.4 of RFC 5234 > I've updated to try to fix this, but your review on the PR would be appreciated. > Replay-Nonce = *base64url > > You allow for empty nonce here. Should this be "1*base64url"? > Done. Please add normative references for Retry-After and Link header fields. > These already have normative references at their first appearance: https://tools.ietf.org/html/draft-ietf-acme-acme-14#section-6.5 Do you think those references are incorrect? In Section 6.6: > > | unsupportedIdentifier | Identifier is not supported, but may be | > | | in future > > Do you mean "identifier type", not identifier? > Done. This list is not exhaustive. The server MAY return errors whose > "type" field is set to a URI other than those defined above. Servers > MUST NOT use the ACME URN namespace Section 9.6 for errors other than > the standard types. > > I think this text is misleading, as you create a registry for these. > I suggest you rephrase and add a reference to the registry. > Clarified that the MUST NOT means "don't use unregistered values" > In 7.1.1: > > caaIdentities (optional, array of string): Each string MUST be a > lowercase hostname which the ACME server recognizes as referring > > Is hostname fully qualified? U-label IDNA domains not allowed here? Please > clarify. > These are only provided for matching against CAA records (RFC 6844), so the simplest thing is to just require that they be equal. In practice, that means ASCII-names. > to itself for the purposes of CAA record validation as defined in > [RFC6844]. This allows clients to determine the correct issuer > domain name to use when configuring CAA records. > > Example in 7.1.1 (or maybe even earlier): You probably should say that some > header fields are omitted here. > I think that is clear enough from context. > In 7.1.2: > > contact (optional, array of string): An array of URLs that the > > Which URI schemes are allowed (or at least expected) here? > Basically, servers must support "mailto", and may support others; they can specify their requirements in an error message. https://tools.ietf.org/html/draft-ietf-acme-acme-14#section-7.3 The WG discussed this and decided not to have more negotiation here. See, e.g.: https://mailarchive.ietf.org/arch/msg/acme/TW8sbspUIGDGbIldaqWW0k9jKYo > server can use to contact the client for issues related to this > account. For example, the server may wish to notify the client > about server-initiated revocation or certificate expiration. > > In 7.4: > > Clients SHOULD NOT make any assumptions about the sort order of > "identifiers" or "authorizations" elements in the returned order > object. > > Why is this a SHOULD NOT and not a MUST NOT? > Done. (Similar text in other sections!) > I don't see "sort order" anywhere else, or other relevant usage of "order". Do you have other places in mind? > > 7.4.2. Downloading the Certificate > > GET /acme/cert/asdf HTTP/1.1 > Host: example.com > Accept: application/pkix-cert > > I think your example is wrong, as Accept value needs to match > application/pem-certificate-chain returned below: > Done. > In 8.3: > > The server SHOULD follow redirects when dereferencing the URL. > > Why only a SHOULD? > Some server operators wanted to have the option to require that the validation work on the first request. > 9.1. MIME Type: application/pem-certificate-chain > > The "Media Types" registry should be updated with the following > additional value: > > MIME media type name: application > > MIME subtype name: pem-certificate-chain > > Required parameters: None > > Optional parameters: None > > Encoding considerations: None > > This value has to be one of "7bit", "8bit", "binary" or "framed". I think > this > should be "7bit", as PEM is ASCII. > Done. > Security considerations: Carries a cryptographic certificate and its > associated certificate chain > > I suggest you add text saying that this media type doesn't include active > content. > Done. > Interoperability considerations: None > > Published specification: draft-ietf-acme-acme [[ RFC EDITOR: Please > replace draft-ietf-acme-acme above with the RFC number assigned to > this ]] > > Applications which use this media type: Any MIME-compliant transport > > This text is not actually useful for Media Type reviewers or users. > You should say "ACME client and servers" or something like this. Giving > more > examples of use would be a plus. > Done. > You are also missing some fields from the registration template. In > particular, > who is the Change Controller? (IETF or IESG) > > 9.6. URN Sub-namespace for ACME (urn:ietf:params:acme) > > Repository: URL-TBD > > Who needs to fix this value? > There's a request to the RFC editor below. > 9.7.1. Fields in Account Objects > > o Field type: The type of value to be provided, e.g., string, > boolean, array of string > > Here and in all similar registries: I think you should insert "JSON" before > "type" to make it clear that types are only restricted to JSON type > choices. > It's a JSON object. If you define a non-JSON type, you're gonna have a bad time. > 9.7.8. Validation Methods > > Template: > > o Identifier Type: The type of identifier that this method applies > to > > I think you should add "or a special keyword RESERVED", as otherwise the > table > below might be confusing. > > o ACME: "Y" if the validation method corresponds to an ACME > challenge type; "N" otherwise. > > I think this could have been clearer, as it is not obvious when "N" can be > used. For example you use "N" for "RESERVED" values. > Clarified that for non-ACME values, the identifier type is "N/A".
- [Acme] Alexey Melnikov's No Objection on draft-ie… Alexey Melnikov
- Re: [Acme] Alexey Melnikov's No Objection on draf… Richard Barnes
- Re: [Acme] Alexey Melnikov's No Objection on draf… Alexey Melnikov
- Re: [Acme] Alexey Melnikov's No Objection on draf… Daniel McCarney
- Re: [Acme] Alexey Melnikov's No Objection on draf… Richard Barnes
- Re: [Acme] Alexey Melnikov's No Objection on draf… Salz, Rich
- Re: [Acme] Alexey Melnikov's No Objection on draf… Richard Barnes
- Re: [Acme] Alexey Melnikov's No Objection on draf… Benjamin Kaduk
- Re: [Acme] Alexey Melnikov's No Objection on draf… Alan Doherty
- Re: [Acme] Alexey Melnikov's No Objection on draf… Manger, James
- Re: [Acme] Alexey Melnikov's No Objection on draf… Tim Hollebeek
- [Acme] FW: Alexey Melnikov's No Objection on draf… Tim Hollebeek
- Re: [Acme] Alexey Melnikov's No Objection on draf… Richard Barnes
- Re: [Acme] Alexey Melnikov's No Objection on draf… Corey Bonnell
- Re: [Acme] Alexey Melnikov's No Objection on draf… Richard Barnes
- [Acme] HTTP redirects in validation [Was: Re: FW:… Ilari Liusvaara
- Re: [Acme] HTTP redirects in validation [Was: Re:… Ryan Sleevi