Re: [Acme] Secdir last call review of draft-ietf-acme-authority-token-tnauthlist-07

Chris Wendt <chris-ietf@chriswendt.net> Fri, 26 March 2021 16:14 UTC

Return-Path: <chris-ietf@chriswendt.net>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6471F3A2235 for <acme@ietfa.amsl.com>; Fri, 26 Mar 2021 09:14:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=chriswendt-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NsXcX-oN3hhc for <acme@ietfa.amsl.com>; Fri, 26 Mar 2021 09:14:24 -0700 (PDT)
Received: from mail-qk1-x730.google.com (mail-qk1-x730.google.com [IPv6:2607:f8b0:4864:20::730]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0DE313A2236 for <acme@ietf.org>; Fri, 26 Mar 2021 09:14:23 -0700 (PDT)
Received: by mail-qk1-x730.google.com with SMTP id i9so5747631qka.2 for <acme@ietf.org>; Fri, 26 Mar 2021 09:14:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chriswendt-net.20150623.gappssmtp.com; s=20150623; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=RNWcoOM9flfqgzJio1uysOukTl/X40B87G9u4Y26qUs=; b=RTakSnKYbaGS28dvPpiL6g3UGD6+VB7VuUanbdDQkCVywGGCJSHTnTfG+YWBnp+1gV LOxqWfiTKxVD6gGwpbODUd31yalB0KxLPJM4b9pjJPpJHqygbmNN2kFA3T+vprZLJ+et w1Iuz8TcSlM6K2hCHZSIVhOhhGIX3OcJmBilGTJ3Tyyukad5Jfld+xuKw4i73QSSE46F Y9tlp/u+BN/qKuvmz5dwvwMrZzppq5+TgKhWmwvHSE8oSTeBqNOXDgCqehvFR56M6MRc GHgCLZpjWx2zBM8d8LHmMRWJGTQweXKZ0OmFxt4yATMluhbhKRnig9289/yOd9YRsZDq quqw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=RNWcoOM9flfqgzJio1uysOukTl/X40B87G9u4Y26qUs=; b=F9xWCtzoV9sxPSAiicwdDD/C0Hz3IRbkkXHXVUOhd/IRQGbNh59pNWVBziXLEhTVcY L8BXhsGefFJGeGMdIuhwpaBPSwNYg0RI9TceHHKMLPzEGHGk0qRZX0pWDMVjkuFaiq+n uW9w3CgjPoKhoKnvrkGzOq0dF626bYfcuyJpRoXAMvyfGgon0Rkkuc4Ey6C4ecrkqY+U 5R5vlCDBD9o7DbSER9fQZHUAXIEDDJdP/X4hFSPFcSlqQCxE7cLKATmeD8X86tzr5U27 jv1kCfXJzKAt42jqWRfhBOSAnBDvj/Ou3vZpO4ScAmcF56cbc12etWJXtQn22e3SRc4Y DfCg==
X-Gm-Message-State: AOAM53237LZ7Ni/LdKxP4sKhtDWYmyYcWaxO0TNvp6S39o16mnUjrp5y MS7hY86wwQ+SyCz6fdJ4yMpssA==
X-Google-Smtp-Source: ABdhPJycybELDJkyTMLclxKTQX8F6W8YOdjOeG+mLBYLPS3lA9KsxVu06FP9xSfhWq6v3zp1SRbJhw==
X-Received: by 2002:a05:620a:525:: with SMTP id h5mr14017150qkh.100.1616775262448; Fri, 26 Mar 2021 09:14:22 -0700 (PDT)
Received: from [192.168.0.244] (c-68-82-121-87.hsd1.pa.comcast.net. [68.82.121.87]) by smtp.gmail.com with ESMTPSA id 1sm5986681qtw.3.2021.03.26.09.14.21 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 26 Mar 2021 09:14:22 -0700 (PDT)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.60.0.2.21\))
From: Chris Wendt <chris-ietf@chriswendt.net>
In-Reply-To: <161671097161.19931.2101173557579231370@ietfa.amsl.com>
Date: Fri, 26 Mar 2021 12:14:18 -0400
Cc: secdir@ietf.org, acme@ietf.org, draft-ietf-acme-authority-token-tnauthlist.all@ietf.org, last-call@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <D8B1B810-6146-4CB3-953D-910B56B71476@chriswendt.net>
References: <161671097161.19931.2101173557579231370@ietfa.amsl.com>
To: Nancy Cam-Winget <ncamwing@cisco.com>
X-Mailer: Apple Mail (2.3654.60.0.2.21)
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/AtDJWXwBSe_oH5pYSZCtRCMOoEs>
Subject: Re: [Acme] Secdir last call review of draft-ietf-acme-authority-token-tnauthlist-07
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Mar 2021 16:14:28 -0000

Hi Nancy,

Thanks for the review i have addressed the nits and included explicit MUSTs as referenced.  I will release an 08 version soon pending any other reviews.

Thanks!

-Chris

> On Mar 25, 2021, at 6:22 PM, Nancy Cam-Winget via Datatracker <noreply@ietf.org> wrote:
> 
> Reviewer: Nancy Cam-Winget
> Review result: Has Nits
> 
> I have reviewed this document as part of the security directorate's
> ongoing effort to review all IETF documents being processed by the
> IESG.  These comments were written primarily for the benefit of the
> security area directors.  Document editors and WG chairs should treat
> these comments just like any other last call comments.
> 
> This document describes the extensions to ACME to allow for a third party Token
> Authority also act as the authority and authorization of entities to control a
> resource; the use case and motivating scenario described in the draft is for a
> telephone authority to be the authority for creating CA types of certificates
> for (STIR) delegation.  The document assumes full knowledge of a set of drafts
> and is straightforward.  I only have a couple of nits but otherwise I think it
> is ready.
> 
> NITs:
> Section 5.2: the "exp" claim is mute on SHOULD vs MUST, it seems that you would
> want to have such a claim so minimally a SHOULD?
> 
> Section 5.3: is this optional, may or must?
> 
> Section 5.4: personal nit, the section should specify this claim to be a MUST,
> it is implicitly stated but would prefer it to be explicit.
> 
> Section 6:
> -I presume that "verify the atc field" is actually verifying that the
> TNAuthList token is valid?
> 
> 
>