Re: [Acme] Alexey Melnikov's Discuss on draft-ietf-acme-ip-07: (with DISCUSS)
Roland Shoemaker <roland@letsencrypt.org> Tue, 01 October 2019 00:32 UTC
Return-Path: <roland@letsencrypt.org>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AC3741200B1 for <acme@ietfa.amsl.com>; Mon, 30 Sep 2019 17:32:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=letsencrypt.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Xm11iI6DDLuI for <acme@ietfa.amsl.com>; Mon, 30 Sep 2019 17:32:45 -0700 (PDT)
Received: from mail-ot1-x342.google.com (mail-ot1-x342.google.com [IPv6:2607:f8b0:4864:20::342]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4ADCD1200A1 for <acme@ietf.org>; Mon, 30 Sep 2019 17:32:45 -0700 (PDT)
Received: by mail-ot1-x342.google.com with SMTP id 21so10003927otj.11 for <acme@ietf.org>; Mon, 30 Sep 2019 17:32:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=letsencrypt.org; s=google; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=mPA9f4e4ugU9KntxsgyxO8oZMu/3aO/F8BcVzUO/w8A=; b=FjsjjiqjZQsvzMj8SuyNe0WbMfhLwXzg9HP20X3XJuohtJeylvbACe290UaHts/kjd h8cFJ3L+Pqrv+F4uP0CShaV6CJcMaznAwts/TMkGtjJyWArWLH7jV5T3czv+NASX76R5 mMUT0lGYhxLjT8/YxR7OdKeaDkqwRWhRM4F54=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=mPA9f4e4ugU9KntxsgyxO8oZMu/3aO/F8BcVzUO/w8A=; b=L5XDuchywHk9r/j4mCgQuvD0do17dunPx/0GGFc1tb+Xm/W/FTqqz32BjadXrbzuqC FAJCS/SR4f8QSLoaLTvJlj35BB0PMEgvFvgdmryUx9+3GfCcUgnfL/8AxUVQaCjYc0U9 nFlT7tAFWmofEtIKqRaplWBdXKQNGGHVZVpkq2JJybUct5iRsvS6Nm45w8om3zAbWD/J q84V/cETKkj8SlohCARs6FWLt+90Bk6neGcEsmlMfXz4rC52qih7MRbO6P6yRAF+wjtC p8ro/bMGEEBwfhzh4mzxSiZ33mR58RS+nL6I7EIlTUIziib/yXx8/k3Js9j9mhQpV3jZ u3Iw==
X-Gm-Message-State: APjAAAXnp3Tve/0BcRjqCrP/4/RVQAYGPTvcUi571c3CsgSWYIRkHiYR 6hl/IupnTr9m4lSnEolypwTCWQ==
X-Google-Smtp-Source: APXvYqyBiG+0z1YRu1LeyWOgxJ2msGjlt82kT/JChnxIuHRDg0Ejjxgr+eY6R5+QlJtrgsD79/dTBg==
X-Received: by 2002:a05:6830:20cd:: with SMTP id z13mr16270722otq.243.1569889964502; Mon, 30 Sep 2019 17:32:44 -0700 (PDT)
Received: from ?IPv6:2600:1700:bd50:a5b0:acbd:9dc3:a492:1744? ([2600:1700:bd50:a5b0:acbd:9dc3:a492:1744]) by smtp.gmail.com with ESMTPSA id r7sm4766820oih.41.2019.09.30.17.32.43 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 30 Sep 2019 17:32:43 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.8\))
From: Roland Shoemaker <roland@letsencrypt.org>
In-Reply-To: <156977148025.21754.11632422153908365852.idtracker@ietfa.amsl.com>
Date: Mon, 30 Sep 2019 17:32:41 -0700
Cc: The IESG <iesg@ietf.org>, draft-ietf-acme-ip@ietf.org, Daniel McCarney <cpu@letsencrypt.org>, acme-chairs@ietf.org, acme@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <23E883ED-D057-4F23-A948-B5562029E467@letsencrypt.org>
References: <156977148025.21754.11632422153908365852.idtracker@ietfa.amsl.com>
To: Alexey Melnikov <aamelnikov@fastmail.fm>
X-Mailer: Apple Mail (2.3445.104.8)
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/B1u4o8eGwUeUirOOJWrawAX_6c8>
Subject: Re: [Acme] Alexey Melnikov's Discuss on draft-ietf-acme-ip-07: (with DISCUSS)
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Oct 2019 00:32:48 -0000
Thanks for the review. Good catch on the FQDN, this looks like it was just an error in the example. I’ll push up a revision addressing this. > On Sep 29, 2019, at 8:38 AM, Alexey Melnikov via Datatracker <noreply@ietf.org> wrote: > > Alexey Melnikov has entered the following ballot position for > draft-ietf-acme-ip-07: Discuss > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut this > introductory paragraph, however.) > > > Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html > for more information about IESG DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-acme-ip/ > > > > ---------------------------------------------------------------------- > DISCUSS: > ---------------------------------------------------------------------- > > Thank you for this document. > > I have a trivial thing I would like to discuss before recommending approval of this document: > > Section 3 of RFC 6066 says: > "HostName" contains the fully qualified DNS hostname of the server, > as understood by the client. The hostname is represented as a byte > string using ASCII encoding without a trailing dot. > > However your example shows in Section 6: > > For the "tls-alpn-01" challenge the subjectAltName extension in the > validation certificate MUST contain a single iPAddress that matches > the address being validated. As [RFC6066] does not permit IP > addresses to be used in the SNI extension HostName field the server > MUST instead use the IN-ADDR.ARPA [RFC1034] or IP6.ARPA [RFC3596] > reverse mapping of the IP address as the HostName field value instead > of the IP address string representation itself. For example if the > IP address being validated is 2001:db8::1 the SNI HostName field > should contain "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.b.d > .0.1.0.0.2.ip6.arpa.". > > I.e. there is a trailing dot after “arpa”. Is the example wrong or am I missing something? > > > >
- [Acme] Alexey Melnikov's Discuss on draft-ietf-ac… Alexey Melnikov via Datatracker
- Re: [Acme] Alexey Melnikov's Discuss on draft-iet… Roland Shoemaker
- Re: [Acme] Alexey Melnikov's Discuss on draft-iet… Alexey Melnikov