IETF Logo Mail Archive

Re: [Acme] AD Review: draft-ietf-acme-star-delegation-04

Thomas Fossati <Thomas.Fossati@arm.com> Tue, 09 February 2021 14:24 UTC

Return-Path: <Thomas.Fossati@arm.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 123623A0D4D for <acme@ietfa.amsl.com>; Tue, 9 Feb 2021 06:24:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=DdillFbZ; dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=DdillFbZ
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2urA7i6r0jyK for <acme@ietfa.amsl.com>; Tue, 9 Feb 2021 06:24:10 -0800 (PST)
Received: from EUR04-DB3-obe.outbound.protection.outlook.com (mail-eopbgr60068.outbound.protection.outlook.com [40.107.6.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 108DD3A0D4B for <acme@ietf.org>; Tue, 9 Feb 2021 06:24:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=VkZz4h7ekrRWk/lThXzevWx2bRCTxPbdVqfcxVLb2dk=; b=DdillFbZyeaJtKuG3H+saoN4uns/s1gwzqR+l2nPt626OTFenP1FQTS7hHn5yO7QIp2Uv98eC7GyHgnZvr2HQoCQqOLXCTUYJ5wAxbSuWzwsMJH3UoNKwdjObAVRee99F68Z+iwcxVT6XnmlazmLaiRs5ZSP4KYFBAhP8CxekaY=
Received: from AM6PR04CA0046.eurprd04.prod.outlook.com (2603:10a6:20b:f0::23) by PAXPR08MB6511.eurprd08.prod.outlook.com (2603:10a6:102:12d::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3825.21; Tue, 9 Feb 2021 14:24:06 +0000
Received: from AM5EUR03FT041.eop-EUR03.prod.protection.outlook.com (2603:10a6:20b:f0:cafe::d9) by AM6PR04CA0046.outlook.office365.com (2603:10a6:20b:f0::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3846.25 via Frontend Transport; Tue, 9 Feb 2021 14:24:06 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; ietf.org; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;ietf.org; dmarc=pass action=none header.from=arm.com;
Received-SPF: Pass (protection.outlook.com: domain of arm.com designates 63.35.35.123 as permitted sender) receiver=protection.outlook.com; client-ip=63.35.35.123; helo=64aa7808-outbound-1.mta.getcheckrecipient.com;
Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by AM5EUR03FT041.mail.protection.outlook.com (10.152.17.186) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3784.11 via Frontend Transport; Tue, 9 Feb 2021 14:24:06 +0000
Received: ("Tessian outbound af289585f0f4:v71"); Tue, 09 Feb 2021 14:24:05 +0000
X-CheckRecipientChecked: true
X-CR-MTA-CID: ac0a8374ad73a3d8
X-CR-MTA-TID: 64aa7808
Received: from 38608923eb2a.2 by 64aa7808-outbound-1.mta.getcheckrecipient.com id 7D92E6AE-F8D9-47DF-B7F1-8EF55D26C9DB.1; Tue, 09 Feb 2021 14:23:59 +0000
Received: from EUR05-VI1-obe.outbound.protection.outlook.com by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id 38608923eb2a.2 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Tue, 09 Feb 2021 14:23:59 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=jHVXMaSMa/UqwAwA9X/DzMKVgA4FGNP3vOyQ60zEOyQoRg3WDgLuCg9IY5DzyEg98Rj2+BP9ClYDUEzSunRLlveqg9iGZ+gcy1bOpKGAIsMIfEi9+3T4dD0fRShwIxM2QBAQHLw9T/i0R2RPEDrkvOh5qqddvof/QlN4FHJy2j4fx2xa8vsM7QdRLBU4kR9sNVzCo3lyCGodQ9qRZITeqrG9gcLL9qRnHJnCBbdIG65YC1iImrvuu21/mm+chl83Vcu18VsIvvvxCgf8D2DNSPHEC10kFc+RTaKi11jNRlgDjGQoNZCyL4RoUiPCULKUWXrriSJbj9yitviVqaziWw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=VkZz4h7ekrRWk/lThXzevWx2bRCTxPbdVqfcxVLb2dk=; b=IIWgx9T8hCdXDenfHhGw+70pg7A3lrjjK9wRKaiSkmu7j/+1qxwPTQS7wNE1OJM5yU3aCF/r/E8mFm6mcCnX3114Jr8tcRUNhFA/EUcPQyaV62rZbgbsMb3dHtR25e4/V9pfKaTrGQ/nK7U/z7TQIszhV+FdSio8lIwJJtoaAimKzEc12ltL+kfbVl6O3OLHGwVs5AjBy2yrHrm9MogFm2N0aE40JRzzA5KkqJfgrFULFWLNbV1hf8cby8Cujei8sXSEB8EtJdZHWWO0oJm+tO6qBOM0NLxYY9vMgYac+pV1IpS37Rbm/+DQnRWMuvxD823EyJP9egb11vJfB+x0QQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=VkZz4h7ekrRWk/lThXzevWx2bRCTxPbdVqfcxVLb2dk=; b=DdillFbZyeaJtKuG3H+saoN4uns/s1gwzqR+l2nPt626OTFenP1FQTS7hHn5yO7QIp2Uv98eC7GyHgnZvr2HQoCQqOLXCTUYJ5wAxbSuWzwsMJH3UoNKwdjObAVRee99F68Z+iwcxVT6XnmlazmLaiRs5ZSP4KYFBAhP8CxekaY=
Received: from DB9PR08MB6524.eurprd08.prod.outlook.com (2603:10a6:10:251::8) by DBAPR08MB5830.eurprd08.prod.outlook.com (2603:10a6:10:1a7::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3825.23; Tue, 9 Feb 2021 14:23:56 +0000
Received: from DB9PR08MB6524.eurprd08.prod.outlook.com ([fe80::1f5:375c:310f:7df5]) by DB9PR08MB6524.eurprd08.prod.outlook.com ([fe80::1f5:375c:310f:7df5%4]) with mapi id 15.20.3825.030; Tue, 9 Feb 2021 14:23:56 +0000
From: Thomas Fossati <Thomas.Fossati@arm.com>
To: Roman Danyliw <rdd@cert.org>, IETF ACME <acme@ietf.org>
CC: Thomas Fossati <Thomas.Fossati@arm.com>
Thread-Topic: [Acme] AD Review: draft-ietf-acme-star-delegation-04
Thread-Index: AQHW/u8yfdBN6o1/a0yivuaGVvuuRg==
Date: Tue, 09 Feb 2021 14:23:56 +0000
Message-ID: <222BB713-6279-4455-B18A-4DC839853A1D@arm.com>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.45.21011103
Authentication-Results-Original: cert.org; dkim=none (message not signed) header.d=none;cert.org; dmarc=none action=none header.from=arm.com;
x-originating-ip: [82.12.10.179]
x-ms-publictraffictype: Email
X-MS-Office365-Filtering-HT: Tenant
X-MS-Office365-Filtering-Correlation-Id: b985771f-3287-4cc8-176d-08d8cd065b9a
x-ms-traffictypediagnostic: DBAPR08MB5830:|PAXPR08MB6511:
x-ms-exchange-transport-forked: True
X-Microsoft-Antispam-PRVS: <PAXPR08MB6511D5BD2CE084985BA0021E9C8E9@PAXPR08MB6511.eurprd08.prod.outlook.com>
x-checkrecipientrouted: true
nodisclaimer: true
x-ms-oob-tlc-oobclassifiers: OLM:8273;OLM:8882;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: /ZhYDuGNzNOZ78+PeICe5N+7vfz1fjq08FGXkgopJg1x+EXwv7y8Dg4jTN8QxGWcpnzBpBKQrVNaJnW4+2nw6tBZKGSix9M2EskPXzt6pQZa6RLuLnWZlkJf0JbMkQPUk7lBDlMg+UXil+wdpVS7PLK8HQg7vONnc3wktmEGnky7XqHfwOI8UitAYVhUsvXernq1nSFwSoeM486y7hkaxZ1WVokvePyqUx5btrVb4XiezZvzjb8PQwQaIzF7X6wUVwXsIS5pSoLuEG5kb410r/C81l6cNN7IVC8yzDe2DfT079Gl2epYre/5NwsDD9BHOxhY9/vaTq6NnhH05rMSVQvbOYLIn6362223Kus8Yi2rj0jVVJxSZ/VzhDRDvZXYSUgr20UziLalq+8a1WgQa9W7cIHiTWQhGNLli8pfRXhRslbRu+OgA+Liuiv3GcXA98dL2YYJ1D41LS4czPyfL9ju9pCjydh9dJHAz0Zczd7zp+UpSAYL68tCglIQ3QGh42SVLg0vHS+iaUdHLarBnSScVxCtKNYJ0uXhPRgfTKEWUcvPsiBAaE+10yuPyKzE3NG3hBroYdS38RF0syBlDwCqVGxrC4nL8HGD3xChEwDdD1W8ECoh2ttnz/6Jo8b7GTma663cVqJTUI895rE7XQ==
X-Forefront-Antispam-Report-Untrusted: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DB9PR08MB6524.eurprd08.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(346002)(39860400002)(136003)(396003)(376002)(366004)(8676002)(66574015)(83380400001)(36756003)(8936002)(86362001)(110136005)(316002)(6486002)(6512007)(2906002)(66556008)(5660300002)(2616005)(478600001)(64756008)(66446008)(966005)(66476007)(66946007)(33656002)(26005)(76116006)(6506007)(91956017)(71200400001)(186003)(4326008)(45980500001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: 6QgTOZaHv2bKkm+u74f4w+6aRkLkcJxpY/rCN6V+uG/tAj0Js59+JpH7gDtNaQNmJd5I9TR64M+MMano+Nn1Z+XHI3TPXKpPhNnbbuecMgdCz300xVUTVEXJYPRdUGNILLPZdQL+z6fh/ZvkuoPDsFdbiL3P1iUmoyiAogA8UbCIVjwQgTpLFgnyOiaZn/ev6FUEe2ti/I1AaIrnKWievwxEqBtcH2fvnYkgFpivkPKxztq6r4oP2Ys1lofX2YwXvcrw6GxsWH0Nksd+XfUxILg6Wmjr9AmagaHmGZYoFgaACC8iXP7xSA/V/VPPNWe/HItOdYLBVivwWLT3yYN0vUuTHs+EFrhQqzbqoThbaORO5k3ReDdCLRYihEptS/E+tZZJ8vPIoz2wTrBodUdyN00I6zYzI16nBDJ7Y/5b6hQkX9msCgQnUJNET4V2HMeKFLIctCkTD/Pr0D9dZ+S6IElhOKQiFlSBqWx7qJu1HkB0+Xvk8pAJXbzlecFbChBZE7y7hi65YzgVA2We7FRGH60pYu3rDU20MYbfIVgj0bLv8SKOJIZguH4DNwYxijVY7t4e5NmsaToOTdKZPfgKd2P6/qPRFOeyH2GFsvEhe7zGZpQ25OPHzbPu0pW1BT6h9lGxrVYH6QfPhe9RPTKnn+Ejp2A64M3k9pHPKZ/EfT32Sy6vZ4MjA5/ODqBEg9y9amNgCLK72/TJz2sGCgnA6ZY8p+QElav55h0VDPcrzp5py0zrX/08zzn+oXDPLm/pzSM2N5jnEV1VJg28LBR0DV48lvpXt3HbxyU5m+n8VTbaPev/1VsNSWQWojuqlu8/Vmc/NNIDebbOA8c7cLLCya+VB4HZOpi0w5lDPOkYDXkVWcSZDJvcMS1gMdt5JmALQT5r1bKX+8y8hQglHqLiR9xihPyBGKZt7GCTTeYO0iqy45AqZLwI20LWdLxnb0yzW4ayFWnbm4dustfXrT/DbcfwxlzcxXVuZGkMyk2p1IaFszCGpBbcyBxHwcVqIzBdkrWgf6Ijjla9zgGEJQrxdlLcBZWXuJH/KiXvUYSCc0Q2sYZfWDmJWj/nf1GMEel+PUyOKhroJlrnKVlVZwids9b8reUbRpVEcDFcvto6LDxf71W4ntUrdmeIcIt2SaRvlSn2hdJXJedyiT//AdkC79f9gATvRU/u9QBfcXdQIGdu8iYTEJxWFh01Sed3WvSTPb8JiIfxhNkgecmAf/u2bJLD21fzg7aF22biC87mbN/7CUny0goW9eyePtAZYLZ5k9AeevJzm8zod+Oy5DxRsZzcHql5DmqGrbk+7UtfJcjPLFLBGEDjQMfwHESlPn0H
Content-Type: text/plain; charset="utf-8"
Content-ID: <A84E7816898E6C48950FA5161571788D@eurprd08.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DBAPR08MB5830
Original-Authentication-Results: cert.org; dkim=none (message not signed) header.d=none;cert.org; dmarc=none action=none header.from=arm.com;
X-EOPAttributedMessage: 0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: AM5EUR03FT041.eop-EUR03.prod.protection.outlook.com
X-MS-Office365-Filtering-Correlation-Id-Prvs: 7deba4ee-56bb-47c9-c88b-08d8cd06559f
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: KBeD24DCSZl1MxLneWADcn8G2X29uf6G0/PUpBwaErWRIwtSDMKSx+kSTHRSSTQNGVFnG7l5FehQOV2TFyGdhRLBm+QRxv4JhAsLQZewTO8mH7XtwjwUkh1lSP2XV+rq6mipAUbUAe0Fk+UQVjenOPu2kJPXv9ImotSeONeSeRRTF2L4SpnOjWNxyFYy623wQOUVFfl/nmFic2k51qDwT8y69t9rIKYwSZDkU67eiuEalaL4Js/KSAgRkStodTe5CkqvLKRDTE5Q9XPGEygQFvtCRtncV0ud5ZJmbBacAJ1J/4JkihkuS6FiVfXw8r+syL2qLp/DdpJ9taTB6C+PZCxH9+iPN5iyKMgzpJ6APbVqeRmoHPrToFsR4A1rV3dZDltaYNWRcP7A+0T4oKsNKtzj4x0VwYOx0hW9ZVGuTuAY68eYp3H3tOLkHbGbiVUPvn87PKyRjjsC+uLcZEYhtfgcdsVqJppiule2jbJ5GRZ9oReNJ+JKe6TVM+U6RQF5PiKQbJYabdnMnzBrlqOjf+7PT9I9mbyl3lRrK8EBP+y2ZlYPoFt2j7IDmJhmMBjR7mS1B1XW0xR6WmjK7Pl1b3B8kPaNpg4+6ZSWJI4wAFB6MRWNO7S2nV7OC1mydb2T1z3iWxUH2V9T6wTk1HSCten4cSDbubttT7brngi3npQfBLA1B7KPPyfuFyfDM5negYpYWUsLAlSD3n1vfriHzXJPFYPxTcsvD34VLan3dmk=
X-Forefront-Antispam-Report: CIP:63.35.35.123; CTRY:IE; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:64aa7808-outbound-1.mta.getcheckrecipient.com; PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com; CAT:NONE; SFS:(4636009)(396003)(39850400004)(376002)(136003)(346002)(46966006)(36840700001)(2616005)(966005)(478600001)(110136005)(316002)(6512007)(82310400003)(8936002)(6486002)(4326008)(336012)(6506007)(186003)(2906002)(26005)(36860700001)(86362001)(36756003)(66574015)(33656002)(5660300002)(83380400001)(70206006)(70586007)(8676002)(47076005)(356005)(81166007)(82740400003); DIR:OUT; SFP:1101;
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 09 Feb 2021 14:24:06.2508 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: b985771f-3287-4cc8-176d-08d8cd065b9a
X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d; Ip=[63.35.35.123]; Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com]
X-MS-Exchange-CrossTenant-AuthSource: AM5EUR03FT041.eop-EUR03.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PAXPR08MB6511
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/Aou9SEWNqLlGZsGWS_sMDtmUGeU>
Subject: Re: [Acme] AD Review: draft-ietf-acme-star-delegation-04
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Feb 2021 14:24:14 -0000

Hi Roman, thank you very much for the great comments.

There is now a GitHub issue for each review item:

https://github.com/yaronf/I-D/issues?q=label%3A%22AD+review%22+label%3A%22ACME+STAR+Delegation%22

We will get back to you as soon as we are done with the edits, or
if there's anything that needs further discussion.

Cheers, thanks!


On 04/02/2021, 22:51, "Acme on behalf of Roman Danyliw" <acme-bounces@ietf.org on behalf of rdd@cert.org> wrote:

Hi!

I did an AD review of draft-ietf-acme-star-delegation-04.  Thanks for this work to apply the STAR profile (rfc8739).  Below are my comments.  There are a number of editorial clarifications proposed below.  The item that likely needs some discussion is the syntax of the CSR template.

** Idnit:
  ** Obsolete normative reference: RFC 6844 (Obsoleted by RFC 8659)

  == Outdated reference: A later version (-04) exists of
     draft-ietf-cdni-interfaces-https-delegation-03

  -- Unexpected draft version: The latest known version of
     draft-ietf-stir-cert-delegation is -02, but you're referring to -03.

** Section 1.  Editorial.  Missing preposition.
OLD
   This document describes a profile of the ACME protocol [RFC8555] that
   allows the NDC to request the IdO, acting as a profiled ACME server,
   a certificate for a delegated identity
NEW
   This document describes a profile of the ACME protocol [RFC8555] that
   allows the NDC to request from the IdO, acting as a profiled ACME server,
   a certificate for a delegated identity

** Section 2.2.  Editorial.  Recommend symmetry in naming of the orders and being explicit on the order in question.
-- second from last bullet.  s/reflected in the NDC order/reflected in Order 1 (i.e., the NDC Order)/
-- last bullet.  s/moves its state to "valid"/moves the Order 1 state to "valid"/

** Section 2.2. Should the buffering requirement for the CSR be normative - s/The IdO must buffer/The IdO MUST buffer/

** Section 2.2.  Per "[No identify validation]", what is meant by that?

** Section 2.3.1.  Editorial.  s/The IdO can delegate multiple names through each NDC/The IdO can delegate multiple names to a NDC/

** Section 2.3.1.  Are there any constraints to what the delegation URLs could point to?

** Section 2.3.1.  Per "The value of this attribute is the URL pointing to the delegation configuration    object that is to be used for this certificate request", what is the error handling if the delegation attribute doesn't point to a URL found in the delegations URL list?

** Section 2.3.2.  It might be worth pointing out the obvious when clarifying the properties of the Order objects such as:
-- That the value field will be the delegated name

-- The expected symmetry in field values between NDC-generated order object and the one made by the IdO

** Section 2.3.2.  Per "When the validation of the identifiers has been successfully completed ...", it would be useful to clarify who is doing the validation and when.  Figure 1 suggests that there is only a validation process between IdO client and CA server.  However, wouldn't the IdO server be checking the identifiers submitted by the NDC client too (prior to passing them to the CA server too?

** Section 2.3.2 and 2.3.3.  I didn't  understand the titles used to organize of content -- "Order Object on the NDC-IdO side" vs. "IdO-CA side".  They didn't follow the clear convention introduced by Figure 1 of NDC client, IdO client, IdO server and CA server.  Additionally, Section 2.3.2 discusses behavior which seems to be IdO client-to-CA Server (which doesn't seem like "NDC IdO side").  Additionally, Section 2.3.3. seems to be describing the requirements that correspond to construction of the order sent to the CA which is also covered at the end of Section 2.3.2.

** Section 2.4.  Per "The authors believe that this is a very minor security risk", it would be worth explicitly explaining that position (and not framed as the belief of the authors)

** Section 2.5.  This section introduces a new architectural element, ACME Delegation server, but doesn't define it.  Simply referencing the use cases in Section 4.1.2 isn't enough as this section doesn't even use those words ("Delegation server").

** Section 2.5.  Per "The "Location" header must be rewritten", it would be useful to describe the new target.

** Section 3.1.  There are some challenges with the template syntax.
-- Where is the normative format for the syntax?  Section 3.1 points to Appendix B which lists JSON schema whose format is specified "draft 7 of JSON Schema, which may not be the latest version of the corresponding Internet Draft [I-D.handrews-json-schema] at the time of publication".  As far as I can tell "draft 7 of JSON Schema" seems to resolve to https://json-schema.org/specification-links.html which points back to draft-handrews-json-schema.  This draft appears to be an expired, individual draft codifying.  This ambiguity and lack of stable reference is problematic.

-- Accepting the Json schema as is, there is no annotation on the fields.  The field names very much look like X.509 fields but the text provides no guidance on how they should be interpreted to create a CSR beyond explaining "**", "*" and what is mandatory.  I would have expected a field mapping but the text explicitly says "The mapping between X.509 CSR fields and the template will be defined in a future revision of this document.".

** Section 3.1.
The NDC MUST NOT include in the CSR any fields that are not specified
   in the template, and in particular MUST NOT add any extensions unless
   those were previously negotiated out of band with the IdO.

These two normative clauses seem to conflict.  The first clause says that the CSR can only have fields listed in the template (and nothing else).  How would one include extensions not in the template based on out of band negotiation?  It seems like it is either in the template or not.

** Section 4.  Is this entire section normative protocol guidance? Or just informatively describing use cases?  If it is informative, please say so.

** Section 4.1.* Please expand UA = User Agent and CP = Content Provider prior to their introduction in the figures

** Section 4.1.2.1.  Please expand SAN.

** Section 4.1.2.1.  There is a TBD text here, "TBD bootstrap, see https://github.com/yaronf/I-D/issues/47"

** Section 4.1.2.1  Step 2 of Figure 6.  Editorial.  Don't use colloquial language "CDNI things" - s/CDNI things/CDNU meta-data/

** Section 5.*.  Add "registry" to the name of the registry in question.  For example, in Section 5.1.: s/ACME Directory Metadata Fields/ACME Directory Metadata Registry/

** Section 5.4.  If there isn't a registry, why are they in the IANA section?  Should we create a registry?

** Section 5.5. Editorial.  To make the bulleted list explaining the fields symmetric with the registry columns:
NEW:
An extension name

An extension type (the syntax, as a JSON Schema snippet)

The mapping to an X.509 certificate extension.

** Section 5.5.  Per the definition of the "type" column:

-- Formally, what is a JSON Schema snippet?  In particular, the three pre-loaded values reference seem to reference "Appendix B" which doesn't seem like a "snippet" (it containing a fully valid and well-formed XML file).

-- The registration policy is "expert review" so in theory a document is not needed.  Is the thinking that the registry row could contain a bare JSON snippet?

** Section 5.5.  What does "(only for the supported name formats)" mean in the "Mapping to X.509" of subjectAltName

** Section 6.2. Editorial. s/cert/certificate/

** Section 6.2.  Per the enumeration of the "two separate parts" of the delegation process, isn't there also:
-- serving the certificate back to the NDC
-- a process for handling revocation of the delegation and the certificate itself

Both of these seem to be discussed in Section 6.3 in some form.

** Figure 1 and 8.  In the spirit of consistency, consider if the CA should be named the "CA Server" (per figure 1) or "ACME server" (per figure 8).

** Section 6.4.  s/Following is the proposed solution where/The following is a possible mitigation when/

Regards,
Roman

_______________________________________________
Acme mailing list
Acme@ietf.org
https://www.ietf.org/mailman/listinfo/acme

IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

v2.23.0 | Report a Bug | By Email