Re: [Acme] Francesca Palombini's Discuss on draft-ietf-acme-star-delegation-07: (with DISCUSS and COMMENT)
Yaron Sheffer <yaronf.ietf@gmail.com> Fri, 09 April 2021 11:50 UTC
Return-Path: <yaronf.ietf@gmail.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 10F9C3A1E35; Fri, 9 Apr 2021 04:50:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, MIME_QP_LONG_LINE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 78H6vM4QloFQ; Fri, 9 Apr 2021 04:50:17 -0700 (PDT)
Received: from mail-wr1-x429.google.com (mail-wr1-x429.google.com [IPv6:2a00:1450:4864:20::429]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3A4883A1E33; Fri, 9 Apr 2021 04:50:12 -0700 (PDT)
Received: by mail-wr1-x429.google.com with SMTP id x7so5337304wrw.10; Fri, 09 Apr 2021 04:50:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=user-agent:date:subject:from:to:cc:message-id:thread-topic :references:in-reply-to:mime-version:content-transfer-encoding; bh=oiKwGeudnG5gb0O+c7iI/b67h2L98l3BFGY6MxBd7Pw=; b=Z6dv8cQ5NSw6H74AxoF6L1BbZaU37ZKyH3y+wp9z6sZvROUQMGXQPd2c058EaVsBOE w5efcouVkjgWDxKfjvhZwgdWtaJ0s1LBMvIQdXAz1PW8ek2zQ6cygvDDCKSFFvHaXOjr nDsvgOZQSzfdgsTuHslgfnh8BAmIZMK/e8WDNqB9t0GEHzHwgxJN5mRyvhT0i0zF5UCV vXExiO5JOp9taabdIiyL5CcEoqNTTWnargiylMqRqpdvHb4Q6KFaYC4/SkcEuabpD4pM l31cFGtv7FzQDRtJOLnN/PbzfMcW5Ji62fc8Un7cWxfcD6vRB7ywndUC+Gcoe1ktPwIn tZoA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:user-agent:date:subject:from:to:cc:message-id :thread-topic:references:in-reply-to:mime-version :content-transfer-encoding; bh=oiKwGeudnG5gb0O+c7iI/b67h2L98l3BFGY6MxBd7Pw=; b=UrWJy9A5K4Qk6FKKTWU9sdbNMoFkMQS1VEhrnGdiwdC03SgxKLWBmf+Sir9vTs/yDA JDxoLtLmEdBm+OJzO1IGzgqJA+XafARCwQ9ZMV6R+11WsFnS8GJlwuZoqqY+YVmdo0M2 BPzN+6HEQPqmmTsFb3Zvwd5zsJUUjsKfwdsLfjvH/+DjvN8oW8JXYy8OdTyRx8rywtb6 TNfaM0yAVziSA4U6dBnq+zlYvu9NsYzbKbF9lFmLMqAZ2H0w4vbPHR34ica/UsHZ9nCi pzTddKW5lEIPvk4IyFFMigqXN0Ud0EzVkLpc89CKCGY0Eg+1c3DIrlbEumD6BwfI15od JTkg==
X-Gm-Message-State: AOAM531iYXo5jEMoq86Dt788XtmjZxwOamQ2Ydt/CD3Nr9xczpSEDqVp 333n254JZVVpKxbbHP5kiiY=
X-Google-Smtp-Source: ABdhPJzXsgIxPc57WZk7r6xQbVWFcb7x8zfH3uQsckJd+OTSFl2qUA/+ki2OTsEeFILMPR0tXHg2dg==
X-Received: by 2002:a5d:4203:: with SMTP id n3mr16962199wrq.116.1617969007925; Fri, 09 Apr 2021 04:50:07 -0700 (PDT)
Received: from [192.168.68.107] (bzq-79-182-26-241.red.bezeqint.net. [79.182.26.241]) by smtp.gmail.com with ESMTPSA id r5sm3611679wmr.15.2021.04.09.04.50.06 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 09 Apr 2021 04:50:07 -0700 (PDT)
User-Agent: Microsoft-MacOutlook/16.47.21031401
Date: Fri, 09 Apr 2021 14:50:06 +0300
From: Yaron Sheffer <yaronf.ietf@gmail.com>
To: Francesca Palombini <francesca.palombini@ericsson.com>, The IESG <iesg@ietf.org>
CC: draft-ietf-acme-star-delegation@ietf.org, acme-chairs@ietf.org, acme@ietf.org, ynir.ietf@gmail.com, rsalz@akamai.com, Carsten Bormann <cabo@tzi.org>
Message-ID: <5C99C5BE-A84D-4CA3-8EFD-BB41FFE32B12@gmail.com>
Thread-Topic: Francesca Palombini's Discuss on draft-ietf-acme-star-delegation-07: (with DISCUSS and COMMENT)
References: <161772895487.31232.7674286750624484570@ietfa.amsl.com>
In-Reply-To: <161772895487.31232.7674286750624484570@ietfa.amsl.com>
Mime-version: 1.0
Content-type: text/plain; charset="UTF-8"
Content-transfer-encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/5WjS6yMrvvy7Nk3876QgitR8m9s>
Subject: Re: [Acme] Francesca Palombini's Discuss on draft-ietf-acme-star-delegation-07: (with DISCUSS and COMMENT)
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Apr 2021 11:50:23 -0000
Hi Francesca, Thank you for your review and for getting the CBOR community and Carsten involved. We will be tracking your comments here: https://github.com/yaronf/I-D/issues/173 And Carsten's review of CDDL and JSON Schema here: https://github.com/yaronf/I-D/issues/170 Thanks, Yaron On 4/6/21, 20:09, "Francesca Palombini via Datatracker" <noreply@ietf.org> wrote: Francesca Palombini has entered the following ballot position for draft-ietf-acme-star-delegation-07: Discuss When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-acme-star-delegation/ ---------------------------------------------------------------------- DISCUSS: ---------------------------------------------------------------------- EDIT (06-04-2021): Thank you very much to Carsten Bormann for the CDDL review: https://mailarchive.ietf.org/arch/msg/cbor/23A-PFhRY-pdkg2-Kgcd4jqySVo/ Authors - please make sure to answer Carsten's comments (and keep me in cc so I can clear my DISCUSS). ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- Thank you for the work on this document, which I found clear and easy to read. You can find some minor comments below. The only one that might require more attention is 7. about IANA expert guidelines missing. EDIT TO ADD (06-04-2021): I see that Lars has added a discuss about the same topic - I support that discuss. Francesca 1. ----- the ACME CA and waits for the explicit revocation based on CRL and OCSP to propagate to the relying parties. ... result, the TLS connection to the dCDN edge is done with an SNI equal FP: Please expand CRL, OCSP and SNI on first use. 2. ----- * delegations (required, string): A URL from which a list of delegations configured for this account can be fetched via a POST- as-GET request. FP: the second occurrence of "delegation" needs a pointer to the next subsection - Delegation Objects, otherwise this definition becomes confusing (delegations is a URL from which a list of delegations can be fetched). 3. ----- An example delegation object is shown in Figure 3. FP: please note that the examples are in JSON. 4. ----- (Forbidden) and type "urn:ietf:params:acme:error:unknownDelegation". FP: suggestion to change to: (Forbidden), providing a problem document [RFC7807] with type "urn:ietf:params:acme:error:unknownDelegation", as registered in section 5.5. The error type appears later on as well (e.g. section 2.3.2), but even without repeating each time, I think this reference at least here where it appears first would help the reader. 5. ----- The Order object created by the IdO: ... * MUST copy the "star-certificate" field from the STAR Order. The FP: (suggestion for clarification) because there are 2 Orders going on in sequence, this bullet point and more precisely "from the STAR Order" is slightly confusing. You could use Order1 and Order2 as you have used in Figure 1 to clarify things (I believe this should be "from the STAR Order2 into Order1) (Note that this is just a suggestion, the rest of the text is mostly clear about which Order it refers to) Otherwise, I think it would be good to add "... from the STAR Order into its Order resource." The same comment apply to the next occurrence: * MUST copy the "certificate" field from the Order, as well as 6. ----- uCDN is configured to delegate to dCDN, and CP is configured to delegate to uCDN, both as defined in Section 2.3.1. FP: Re Figure 12: I assume that 0. refers to the configuration CP and uCDN share? In this case, why is there no arrow between uCDN and dCDN? If my assumption is wrong, then what's the meaning of 0? 7. ----- FP: This document defines two new registry, one with policy Specification required and the other Expert review (both of which will need designated experts). https://tools.ietf.org/html/rfc8126#section-5.3 states that: When a designated expert is used, the documentation should give clear guidance to the designated expert, laying out criteria for performing an evaluation and reasons for rejecting a request. In the case where I have noticed that RFC 8555 only provided guidance for one of its registries, and that the registries are quite straight forwards, but I still believe that having some guidance for the experts to evaluate requests helps.
- [Acme] Francesca Palombini's Discuss on draft-iet… Francesca Palombini via Datatracker
- Re: [Acme] Francesca Palombini's Discuss on draft… Yaron Sheffer