IETF Logo Mail Archive

[Acme] AD review of draft-ietf-acme-subdomains-04

Roman Danyliw <rdd@cert.org> Sat, 29 October 2022 21:58 UTC

Return-Path: <rdd@cert.org>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 75933C14F72D for <acme@ietfa.amsl.com>; Sat, 29 Oct 2022 14:58:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cert.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id j6vGu2F45M2l for <acme@ietfa.amsl.com>; Sat, 29 Oct 2022 14:57:56 -0700 (PDT)
Received: from USG02-BN3-obe.outbound.protection.office365.us (mail-bn3usg02on0135.outbound.protection.office365.us [23.103.208.135]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DBAD7C14F743 for <acme@ietf.org>; Sat, 29 Oct 2022 14:57:56 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=ciiIHaCuqgjnQBZtjxddt2rm7X1TMUpV7XwOotoY+VCG6NTdU5bbf4m89B7kClYu9ExKJ+cVwJJZJuQlwOhgmsLAsLv/cwgwOOQIbD3k7D2D1yKrubxgE9BgqcgDMrHj+pk014AKmWB5rMqUZLkUKq+DCrE+lQGLzASi+Ht0jDk2u5r8lUUQLBA/bpRgETsaIvoJqkHOfGhGuh1IWpckLzpO9GvwUiTIAxnV1/dmkwcymqlzjM5PSI7AVQbb2VN4YOZeKH4qxx9MNmTpsV50atupJT5MIB2f/eXkDiE6aVLQsOOQQ3A6onhizTg2+QFZlnME+Ofqe8iymyy+eeG4Og==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=xwiMnjaAJcrE0iseJhrultGpSYA2JNPpcYZ4lU8PxhM=; b=JprAm7VMwMUF+0v5l4zn/xfmuybubthOPCGkKcu2sFrVIRo57KM224ZnKsLcz5z2TqDrH5MdrG0GzkDHd9IOdEo3JFiOFngPlU2705JhtjUwRfhjt+5BoyeOHe2nxIXoxzAXDtxSNpOOg9iHkEqQqs174Jq+UV0RJ8Vke9Y9gEKlX5mup1t1BFKttNWOp55Wu48IJRqsdb/7DWojzgcTxqw/nzp0A3kFEN0VcgDjrM88NDhlJ+5j/RgHk8RblhV5445pHiEvm3BqdqE/w1quSHcaCsELUj1aGnNZJiManOYl5+ZaPIMC2ogmK4Qv4astcC4+dyuVs5FlBYO7ZGY/bg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cert.org; dmarc=pass action=none header.from=cert.org; dkim=pass header.d=cert.org; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cert.org; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=xwiMnjaAJcrE0iseJhrultGpSYA2JNPpcYZ4lU8PxhM=; b=H2BgYmOf39CR1+tBGy5gakT9PrbOqx+AzT2cMHEU7Hs2wsMHY28RGdSJDL0eujsTDolKDYWDiCcM/ImTM0B9LeKlJWUaccuco8EvwhW8gq8Qt+6T9sXrWhi7xpBCfxwSQDhSJPqiDA53GvtGS+8xu4VJiBqhvvtoQ1l3kT4L258=
Received: from BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:168::11) by BN2P110MB1301.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:179::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5746.23; Sat, 29 Oct 2022 21:57:54 +0000
Received: from BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM ([fe80::11dc:e93c:167b:f429]) by BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM ([fe80::11dc:e93c:167b:f429%6]) with mapi id 15.20.5746.028; Sat, 29 Oct 2022 21:57:53 +0000
From: Roman Danyliw <rdd@cert.org>
To: "acme@ietf.org" <acme@ietf.org>
Thread-Topic: AD review of draft-ietf-acme-subdomains-04
Thread-Index: Adjr4XIWs6cJQly9SaKzXQXOpKE/AQ==
Date: Sat, 29 Oct 2022 21:57:53 +0000
Message-ID: <BN2P110MB11071133FF104C5D0831F969DC359@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cert.org;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: BN2P110MB1107:EE_|BN2P110MB1301:EE_
x-ms-office365-filtering-correlation-id: c31cf9b2-c245-46ca-a076-08dab9f8a186
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: MZlOug9pQIF4iWxuiSDzF3WX66dTJuImSRDWJb8Ghh7LyaSNj4Z/XLWXd1hjP+iVYdC6E8lSaCrJFOLC7yj3t0N/04iOoST+8FvisXSs138aiBr9cpypaf82wsVCQ35elkXibKe+PP1n7H/FIPWC7SQIuVu7Twe+NywrkOcnaBPeJxKFzrzI8uf0t0RH9cdUwBmALifwiw8IbRWk8ubJIOJyMTVaMO68e6o4PbkrrIU+Rvhqcvi/fvg0//xtmNAlIgFnVf8Tb/qq822Zg75gc0JAV0yXlq8Z1ghBkSZySmRlVxrF36pX5W+P2XJY5vatUUqxP4yo2N7R0uaS44DZyZ2pGXpse+fs9/hnE+NekMNFDu9tAEB7Bd4KbFkhki8Kk1ZsINgmY6tBHuzLm6ZF/oaX+zMKRPmecl8+kZQgt5XD1XTiSvJGchlDw97pC3xRoJoY+jsHqsP58OCgS9A+UTV67OvqnH5kH7YdZPjlbrbe1ghbR2Nf+oOv3nh1C/6PgppRa1fqc1R/kgr21Z0Ez8as6Jf0CYXdrj+bLp558oq1POSdnBpqmfIT0cM4rZPLKDbMR46ZBbu+vGodnIlSO6VzDeOUI033prUH9rJeR3kvupGx1xMoeKRZCQOWdwja0BZfB0EoYfhvE3BZw1Irawj2qFYJiFc0T1A7W5TEr7+c5I9Z1Dexizi/CKt+N5yN1gASHF5rly1ng15hoQD+8Fd9dFeLs0KOU/yzeFu4wz6VUJLx3GbSpCs1P2woGauT20pekQxH1ljvWo1vduUQWg==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230022)(366004)(451199015)(86362001)(33656002)(66556008)(66476007)(122000001)(9686003)(52536014)(2906002)(5660300002)(186003)(83380400001)(38100700002)(38070700005)(82960400001)(6916009)(76116006)(66946007)(66446008)(64756008)(8676002)(55016003)(8936002)(26005)(7696005)(498600001)(71200400001)(6506007)(966005); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: Dd+H60+RHAlMzvP+u2qFR1/yfRmew0MFr7z0p83wVzse9pn7lIVr4lu06nVGBc7ufFjNY/auV5S49ohzHZ3y3Kj0KDtYkhR/UgAUOzPyr/IYW/XJ4+v10eMdFh/g726Cvh+6r1QHr09x0v+wBjvqSNMLxGhpuOY0WDbo0wcS27FO1eCTVHWBHf9N6ARWdPMh7ZNdGeQmy6+fRulmZzHRDMSMr9wz+v4dx982fYisbDnr/XGGTacW9j+h/3gXUXOI0W6vh/RAabmxCQNVyLKbsLlBVwU2cjq9Hhaf1TAvyVPKjtoTUr3xQvQV69VTcllGHFTXC2gz3YiTG3Alq2UQkIL4gl5E5cMz+GiVggHKnv2co1GnmLbOd8RDl7yqokLFdTnz7uqggb38gnWIH/SXgNnl8DWtAOiglL3OPeH3XyKWyk33JnsFyrYsRF477K184E47zBstW9CGXBacpqAK6xmOEBv34eoIYEPw7KUHpUjrvBSx3ElvqoNztNX7bLkC1PWswF3HUXArxkmYL9RfOt01N7ur5N1iZmpf73nGX89/hGSAPGsm3mdxG0AOeGuAw71kYOh8x9oTiauSYOPIa3lFwtKMlvulytubLU2BwOrr/yV8LIAvGMRBFDU7sXCLkqdIFhuY5RENaDusWTDarcHEWxspa0AOs3yc0SI+LU40mpjzOQ9QdpnADOc2Z4TXqps8OUJK8wc8pJtZ9iYlEV8UaNOSfb+SnezmoCJ1DO4YtsWdbz+HWf2SCaseJb6YV2vHjnOuwtseamikJhIt3dWxNnwxJ4g0yAxpPD1+mz+tlmQ41OAeb/vDQat9QoHjqEvZ+B0jX1/67Ooo7ttb5+izYT2+bGzEwtwyta2573DiJNaZ394qc+UQ+OU8PnKlzIx249Wg/rDPp1o86Ixz3aprps7rghJ2pM7sXlAxerqynS8+Cgn2bDDP133PKcui4NowLI1fLihAp4RDFfvYwcEBJdnyQaDdmu3DepNPljsKrRA6oX3R0PRkQNZwU2pgs7sfSyKEBagFk7bzZS87s3OKL9EqaJ91KM/3zWHV2ZmJHt1jM+fI2Y/GNltq1myOHm8egwd07yD8InoE/DB2/TwWy7iyyo0P2wazgO58IGK7jWiOUOKMDbXM95aWSkU7EN7H4iP7Uu/+6Qigfz21zTE72HTKfdmigURtzdDdjh2uCrorMsygdAuQddMUBWYR+w57bum16qrfBOprl0wBV64U80VKfW6Y2AtM35+r3XmGtMTCkwum/r1oZaZ2q+kKWxXDFZL7439URfVj+9r6/EcSxrMy00wzBnW7SHw0mvy0yMxDVrd/oh4SOG7IvcLS0ECnz2zL1KmRT7hOqssf+FszAyW25l0rjA4kDeytvcgs7kqEFpVQ2bBq5Lcf3TiNeWRGP5Q+QWdYXYfRaSl/o9YQyu6drwoQQgpC4GcvHNRbcWqyFk4UG6ZR9cPUegF3uayhlBVkp+TWbrY/hNXHGQ/1jUY6Ub0poAYfedsYDSE=
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: cert.org
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: c31cf9b2-c245-46ca-a076-08dab9f8a186
X-MS-Exchange-CrossTenant-originalarrivaltime: 29 Oct 2022 21:57:53.8860 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 95a9dce2-04f2-4043-995d-1ec3861911c6
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN2P110MB1301
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/9dDiMhLlCYonWbjhlnDmB2-yFFs>
Subject: [Acme] AD review of draft-ietf-acme-subdomains-04
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 29 Oct 2022 21:58:01 -0000

Hi!

I performed an AD review of draft-ietf-acme-subdomains-04.  Thanks for this work to extend ACME capability.  I have a few comments below, but they aren't significant enough to hold the document.  Please address them concurrently with IETF LC.

** Section 1.  Editorial.

   ACME [RFC8555] defines a protocol that a certification authority (CA)
   and an applicant can use to automate the process of domain name
   ownership validation and X.509v3 (PKIX) [RFC5280] certificate
   issuance.  This document outlines how ACME can be used to issue
   subdomain certificates, without requiring the ACME client to
   explicitly fulfill an ownership challenge against the subdomain
   identifiers - the ACME client need only fulfill an ownership
   challenge against a parent domain identifier.

Sentence one talks about a "CA" and an "applicant".  With no bridging, sentence two starts using a different term of "ACME client".

** Section 2.  Editorial. This section takes direct quotes out of RFC8499 but does not put quotation marks around them.  However, when text is taken from RFC1034 it has quotes.  Recommend consistency.

** Section 3.  As with the clarification on identifiers", consider saying a bit more about ACME supporting multiple validation methods.  Point to https://www.iana.org/assignments/acme/acme.xhtml#acme-validation-methods would make for an easy and durable enumeration.

** Section 3.
   ACME places the following restrictions on "identifiers":

   *  [RFC8555] section 7.1.4: the only type of "identifier" defined by
      the ACME specification is an FQDN: "The only type of identifier
      defined by this specification is a fully qualified domain name
      (type: "dns").  The domain name MUST be encoded in the form in
      which it would appear in a certificate."

It seems like there is a subtle distinction to clarify here.  Yes, RFC8555 only specified the "dns" identifier.  However, it also enabled a broader ACME ecosystem via https://www.iana.org/assignments/acme/acme.xhtml#acme-identifier-types. Isn't the relevant thing to say here that _this_ document only supports the "dns" identifier.

Regards,
Roman

v2.23.0 | Report a Bug | By Email