Re: [Acme] Éric Vyncke's No Objection on draft-ietf-acme-ip-07: (with COMMENT)
"Eric Vyncke (evyncke)" <evyncke@cisco.com> Tue, 01 October 2019 21:23 UTC
Return-Path: <evyncke@cisco.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B52C11200B8; Tue, 1 Oct 2019 14:23:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.501
X-Spam-Level:
X-Spam-Status: No, score=-14.501 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=YRITEaIC; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=zNTFQAlB
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pEDtNa5_O0Ft; Tue, 1 Oct 2019 14:23:20 -0700 (PDT)
Received: from rcdn-iport-8.cisco.com (rcdn-iport-8.cisco.com [173.37.86.79]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9C1DF1200C1; Tue, 1 Oct 2019 14:23:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=3852; q=dns/txt; s=iport; t=1569965000; x=1571174600; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=6/aIRGX3rLBBhNIwa3lX2HAZ+v+cWFCvtzg7avMKqhE=; b=YRITEaICWv3a37uZlJKP2QCGb5Ds5yTqh1OldWG0jzyCkBN3sT0rlRY9 FHpavqqzSwgUz9dQXT4v0k8yFVL4Skx+JtU9WQYE18pWk4SvSFBLB+BA3 LXZxE+7DwQShKXOBxP2KJ0z/f2fvyXzfrAz5QXwpL4Q/Mp+9gcxWYC52/ E=;
IronPort-PHdr: 9a23:Bx0k2hNWHJrHXrh2iwMl6mtXPHoupqn0MwgJ65Eul7NJdOG58o//OFDEu60/l0fHCIPc7f8My/HbtaztQyQh2d6AqzhDFf4ETBoZkYMTlg0kDtSCDBj2Mu/sZC83NM9DT1RiuXq8NBsdFQ==
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0CvAABGw5Nd/4wNJK1lGgEBAQEBAgEBAQEMAgEBAQGBZ4FLUANtViAECyqEIoNHA4pgglyXd4FCgRADVAkBAQEMAQEjCgIBAYRAAheCGCM4EwIDCQEBBAEBAQIBBQRthS0MhUsBAQEBAgESEREMAQEsCwEPAgEIGAICJgICAjAVBQsCBA4FIoMAAYFqAw4PAQIMpT4CgTiIYXWBMoJ9AQEFgUhBgn0YghcDBoEMKIwOGIFAP4ERJx+CTD6CYQIBAgGBKgESAQktgnYygiaNAoIuN5xUbgqCIocGigqEARuCOIdOjzODQJJ/kQ0CBAIEBQIOAQEFgWkiZ1gRCHAVZQGCQVAQFIFPg3OFFIU/dAGBKI4ADRcHgicBAQ
X-IronPort-AV: E=Sophos;i="5.64,572,1559520000"; d="scan'208";a="638290296"
Received: from alln-core-7.cisco.com ([173.36.13.140]) by rcdn-iport-8.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 01 Oct 2019 21:23:17 +0000
Received: from XCH-ALN-016.cisco.com (xch-aln-016.cisco.com [173.36.7.26]) by alln-core-7.cisco.com (8.15.2/8.15.2) with ESMTPS id x91LNHkZ029389 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Tue, 1 Oct 2019 21:23:17 GMT
Received: from xhs-aln-002.cisco.com (173.37.135.119) by XCH-ALN-016.cisco.com (173.36.7.26) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Tue, 1 Oct 2019 16:23:16 -0500
Received: from xhs-rtp-001.cisco.com (64.101.210.228) by xhs-aln-002.cisco.com (173.37.135.119) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Tue, 1 Oct 2019 16:23:15 -0500
Received: from NAM05-BY2-obe.outbound.protection.outlook.com (64.101.32.56) by xhs-rtp-001.cisco.com (64.101.210.228) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Tue, 1 Oct 2019 17:23:15 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=apFBuDk0/M18oYYGvwg+uXYkUTB3L/V3ZuXtWXxjzPZnV0wiNXQ+gdfP+/Ux2lUWx5Bohj0jLOHKwvJmNDzK+zZRtV9R8HijYyb16TkjqNEZ9FnTUMnTKAF/auBaBO6kboZ+uCfAHPg6G+WmHr1rYmnhQEaeQk7L7n9CEa1aaUMSqlKEccsJXCfVpLfmbx7oglO0Mfz/+sclC78maVrbl/K4tjPVvYON1reK9oLxsOEFgluCE5ckesrVXdBS+HfxdpjyyhY4vQgp4Ur9swycOGLVt2IAlqp9oAsiIA2xowHSW5t3Zw5g374lNQm41uriLMy9W45gcKQwvnzRrB5+hQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=6/aIRGX3rLBBhNIwa3lX2HAZ+v+cWFCvtzg7avMKqhE=; b=iofWxZlYhhqpPBprAYOq6Kk1PUwHgmciUzHwMqdDwg9B6c7gwLZh4X08az0NRLJ+jbMzhbhz0uFR8f8bLMvQe5lejhKLvDocOKLBEVEixXVi+Nwvl2+x4la8qxTfQMolpB/FXxjdLeAZ3TQVklohrcsaJ2tm/6zPMV6M6UeMOIOotuWXaOiRH5bZzGnUJlfFCGT1MuTr8Mrff/bVA3LqOYQpYKVc11PRzfDx3dNb2uY4U02HLBgPF7XJb880sDGxeialZKs7naEw+3sQowowa9hJ/v/UcoUpULuD+BljVTuAEyQyJ0lM6L2Ve9wa2wQh6u6dl3VZ6bOIVGXo3FHoZQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=6/aIRGX3rLBBhNIwa3lX2HAZ+v+cWFCvtzg7avMKqhE=; b=zNTFQAlBhEj019agWdZI5mUlHTkMlYv0fi81Ec/BMjw0eVfYZob8cU6nNWFdCQWLJLb6G1XTyCPmKFbKu2ggiWkH/1rwCQhpQi125Z+rWQXbf2Kdh7rB5evf+PyGZS0ifCQqv+FrhBGh33u3vjKucNvlutn4pwsJWvpwGfwUX0Y=
Received: from MN2PR11MB4144.namprd11.prod.outlook.com (20.179.150.210) by MN2PR11MB4477.namprd11.prod.outlook.com (52.135.36.93) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2305.20; Tue, 1 Oct 2019 21:23:14 +0000
Received: from MN2PR11MB4144.namprd11.prod.outlook.com ([fe80::e4f8:d335:c018:c62a]) by MN2PR11MB4144.namprd11.prod.outlook.com ([fe80::e4f8:d335:c018:c62a%7]) with mapi id 15.20.2305.022; Tue, 1 Oct 2019 21:23:14 +0000
From: "Eric Vyncke (evyncke)" <evyncke@cisco.com>
To: Roland Shoemaker <roland@letsencrypt.org>
CC: The IESG <iesg@ietf.org>, "draft-ietf-acme-ip@ietf.org" <draft-ietf-acme-ip@ietf.org>, Daniel McCarney <cpu@letsencrypt.org>, "acme-chairs@ietf.org" <acme-chairs@ietf.org>, "acme@ietf.org" <acme@ietf.org>
Thread-Topic: Éric Vyncke's No Objection on draft-ietf-acme-ip-07: (with COMMENT)
Thread-Index: AQHVeH0dTJHy8+TrLEKLN57WTjItV6dGbWmA
Date: Tue, 01 Oct 2019 21:23:14 +0000
Message-ID: <97DFCFDA-03BA-44A8-83BF-962075CF7F3B@cisco.com>
References: <156987778023.452.3991363499690423133.idtracker@ietfa.amsl.com> <308168A7-0417-46B4-9F15-B155FFD7DEAE@letsencrypt.org>
In-Reply-To: <308168A7-0417-46B4-9F15-B155FFD7DEAE@letsencrypt.org>
Accept-Language: fr-BE, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.1d.0.190908
authentication-results: spf=none (sender IP is ) smtp.mailfrom=evyncke@cisco.com;
x-originating-ip: [2001:420:c0c1:36:a102:1062:9772:4dbb]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 34e8c92d-89bc-433e-9fb7-08d746b59198
x-ms-traffictypediagnostic: MN2PR11MB4477:
x-ms-exchange-purlcount: 2
x-microsoft-antispam-prvs: <MN2PR11MB44775E06CDE409817D7CD48BA99D0@MN2PR11MB4477.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0177904E6B
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(136003)(366004)(346002)(396003)(39860400002)(376002)(51914003)(189003)(199004)(6116002)(8936002)(58126008)(66476007)(53546011)(478600001)(81156014)(81166006)(33656002)(54906003)(64756008)(186003)(91956017)(76116006)(11346002)(66946007)(316002)(66556008)(2616005)(25786009)(76176011)(14454004)(6506007)(966005)(102836004)(99286004)(486006)(2906002)(476003)(446003)(4326008)(6436002)(66446008)(86362001)(6486002)(36756003)(6246003)(224303003)(6512007)(6306002)(229853002)(71190400001)(46003)(7736002)(256004)(305945005)(71200400001)(6916009)(5660300002); DIR:OUT; SFP:1101; SCL:1; SRVR:MN2PR11MB4477; H:MN2PR11MB4144.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: IYG3AjZjRhe4GM/tBrnVeMiyzVL3ngquyxv7tpu1/ZsQadPw9n8fkZFc/zpC6RvxLpjNriIVMTEE3h1Un6DL6W3aQzUaCQ+fPShVJ85F5rl06xUl8oGz7ChcklNl74RFoxgTNUO6I0KfNOefMqxSPINiY3BgJphKk/JQGWrI60VFzkbwSbySGsTlzIeY62DFFZZn+uwjSZ8AgdQl2Ww2AgR+snmd5kHnniF11VKmPjRfjPY50mN9Zok5q3L+o0BBoa2cxETlQ5hy5oxFXvzBVikMqzlKAkqSHR60gPUXyHmgM1FI/AugUOZMLaAVse04NmN6LMoa4o2ijYVWge0laJ7cZS0L99mgK/Pj9HDvdkSGatPBvPWYCJA3VPjr0SKPemw3qq1ary092OB0kcGST5AD2Y4mZ0ePxZkzXowNWzikNgrrotKtnRASUCHJd7WmOJ2M3RxLbLnQNN5YPcaDuQ==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <AE8DFA7DBB2EAA4881409E957A3CFC87@namprd11.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 34e8c92d-89bc-433e-9fb7-08d746b59198
X-MS-Exchange-CrossTenant-originalarrivaltime: 01 Oct 2019 21:23:14.0388 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 1g2mQ2jO4W9bjNcS8Z/2iCVrc9/vkZqA0oM9zLHNVKpklmiHPApR6bnKzVcL3KBSizugCxP4U/5rK3nzulR8BA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR11MB4477
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.26, xch-aln-016.cisco.com
X-Outbound-Node: alln-core-7.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/4DoUrAoPPSerBdfKAvhJs2CigYU>
Subject: Re: [Acme] Éric Vyncke's No Objection on draft-ietf-acme-ip-07: (with COMMENT)
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Oct 2019 21:23:23 -0000
Thank you Roland for the added pieces of information -éric On 01/10/2019, 19:24, "Roland Shoemaker" <roland@letsencrypt.org> wrote: Hey Éric, Thanks for the review. To answer your two questions: 1. Assuming you are referring to the “type” field of the standard ACME identifier object the use of “ip” was thought to be a bit more verbose as to what the identifier contained vs. “address”. There could be some confusion with using address about what kind of address this was, especially since certain types of certificates (i.e. OV and EV) can contain physical mailing addresses etc. 2. Allowing only /32 or /128 was mainly just to allow reuse of the existing challenge types from RFC 8555. Adding randomized selection from larger ranges would be possible but would really require completely new challenge types as the modifications that would need to be made (and the specification of the randomized processes etc) would alter the existing challenges too much. There was also no user demand when we first started working on this for anything other than validating individual addresses. If we see demand in the future I think new challenge types would make for a nice short extension to the existing specification. Thanks, Roland > On Sep 30, 2019, at 2:09 PM, Éric Vyncke via Datatracker <noreply@ietf.org> wrote: > > Éric Vyncke has entered the following ballot position for > draft-ietf-acme-ip-07: No Objection > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut this > introductory paragraph, however.) > > > Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html > for more information about IESG DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-acme-ip/ > > > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > Short and useful document: thank you for writing it. > > No need to reply to my two questions, but, I would appreciate your answers: > 1) why using a tag "ip" rather than "address" ? > 2) unsure whether it is doable, but, why only allowing /32 or /128 addresses? A > server can listen to a /64 (for some specific applications), so, requesting a > /64 via ACME would be useful (challenge could be done via a random address out > of this /64 for example) > > Regards > > -éric > >
- [Acme] Éric Vyncke's No Objection on draft-ietf-a… Éric Vyncke via Datatracker
- Re: [Acme] Éric Vyncke's No Objection on draft-ie… Roland Shoemaker
- Re: [Acme] Éric Vyncke's No Objection on draft-ie… Eric Vyncke (evyncke)