Re: [Acme] Secdir last call review of draft-ietf-acme-authority-token-tnauthlist-07

Chris Wendt <> Fri, 26 March 2021 16:14 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 6471F3A2235 for <>; Fri, 26 Mar 2021 09:14:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id NsXcX-oN3hhc for <>; Fri, 26 Mar 2021 09:14:24 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::730]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 0DE313A2236 for <>; Fri, 26 Mar 2021 09:14:23 -0700 (PDT)
Received: by with SMTP id i9so5747631qka.2 for <>; Fri, 26 Mar 2021 09:14:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=RNWcoOM9flfqgzJio1uysOukTl/X40B87G9u4Y26qUs=; b=RTakSnKYbaGS28dvPpiL6g3UGD6+VB7VuUanbdDQkCVywGGCJSHTnTfG+YWBnp+1gV LOxqWfiTKxVD6gGwpbODUd31yalB0KxLPJM4b9pjJPpJHqygbmNN2kFA3T+vprZLJ+et w1Iuz8TcSlM6K2hCHZSIVhOhhGIX3OcJmBilGTJ3Tyyukad5Jfld+xuKw4i73QSSE46F Y9tlp/u+BN/qKuvmz5dwvwMrZzppq5+TgKhWmwvHSE8oSTeBqNOXDgCqehvFR56M6MRc GHgCLZpjWx2zBM8d8LHmMRWJGTQweXKZ0OmFxt4yATMluhbhKRnig9289/yOd9YRsZDq quqw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=RNWcoOM9flfqgzJio1uysOukTl/X40B87G9u4Y26qUs=; b=F9xWCtzoV9sxPSAiicwdDD/C0Hz3IRbkkXHXVUOhd/IRQGbNh59pNWVBziXLEhTVcY L8BXhsGefFJGeGMdIuhwpaBPSwNYg0RI9TceHHKMLPzEGHGk0qRZX0pWDMVjkuFaiq+n uW9w3CgjPoKhoKnvrkGzOq0dF626bYfcuyJpRoXAMvyfGgon0Rkkuc4Ey6C4ecrkqY+U 5R5vlCDBD9o7DbSER9fQZHUAXIEDDJdP/X4hFSPFcSlqQCxE7cLKATmeD8X86tzr5U27 jv1kCfXJzKAt42jqWRfhBOSAnBDvj/Ou3vZpO4ScAmcF56cbc12etWJXtQn22e3SRc4Y DfCg==
X-Gm-Message-State: AOAM53237LZ7Ni/LdKxP4sKhtDWYmyYcWaxO0TNvp6S39o16mnUjrp5y MS7hY86wwQ+SyCz6fdJ4yMpssA==
X-Google-Smtp-Source: ABdhPJycybELDJkyTMLclxKTQX8F6W8YOdjOeG+mLBYLPS3lA9KsxVu06FP9xSfhWq6v3zp1SRbJhw==
X-Received: by 2002:a05:620a:525:: with SMTP id h5mr14017150qkh.100.1616775262448; Fri, 26 Mar 2021 09:14:22 -0700 (PDT)
Received: from [] ( []) by with ESMTPSA id 1sm5986681qtw.3.2021. (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 26 Mar 2021 09:14:22 -0700 (PDT)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.\))
From: Chris Wendt <>
In-Reply-To: <>
Date: Fri, 26 Mar 2021 12:14:18 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <>
To: Nancy Cam-Winget <>
X-Mailer: Apple Mail (2.3654.
Archived-At: <>
Subject: Re: [Acme] Secdir last call review of draft-ietf-acme-authority-token-tnauthlist-07
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 26 Mar 2021 16:14:28 -0000

Hi Nancy,

Thanks for the review i have addressed the nits and included explicit MUSTs as referenced.  I will release an 08 version soon pending any other reviews.



> On Mar 25, 2021, at 6:22 PM, Nancy Cam-Winget via Datatracker <> wrote:
> Reviewer: Nancy Cam-Winget
> Review result: Has Nits
> I have reviewed this document as part of the security directorate's
> ongoing effort to review all IETF documents being processed by the
> IESG.  These comments were written primarily for the benefit of the
> security area directors.  Document editors and WG chairs should treat
> these comments just like any other last call comments.
> This document describes the extensions to ACME to allow for a third party Token
> Authority also act as the authority and authorization of entities to control a
> resource; the use case and motivating scenario described in the draft is for a
> telephone authority to be the authority for creating CA types of certificates
> for (STIR) delegation.  The document assumes full knowledge of a set of drafts
> and is straightforward.  I only have a couple of nits but otherwise I think it
> is ready.
> NITs:
> Section 5.2: the "exp" claim is mute on SHOULD vs MUST, it seems that you would
> want to have such a claim so minimally a SHOULD?
> Section 5.3: is this optional, may or must?
> Section 5.4: personal nit, the section should specify this claim to be a MUST,
> it is implicitly stated but would prefer it to be explicit.
> Section 6:
> -I presume that "verify the atc field" is actually verifying that the
> TNAuthList token is valid?