Re: [Acme] I-D Action: draft-ietf-acme-ari-03.txt
Aaron Gable <aaron@letsencrypt.org> Tue, 05 March 2024 17:57 UTC
Return-Path: <aaron@letsencrypt.org>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B19BEC14F69F for <acme@ietfa.amsl.com>; Tue, 5 Mar 2024 09:57:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.161
X-Spam-Level: *
X-Spam-Status: No, score=1.161 tagged_above=-999 required=5 tests=[ADVANCE_FEE_3_NEW=3.267, BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=letsencrypt.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VvdQB_-Pnskx for <acme@ietfa.amsl.com>; Tue, 5 Mar 2024 09:57:31 -0800 (PST)
Received: from mail-ot1-x32e.google.com (mail-ot1-x32e.google.com [IPv6:2607:f8b0:4864:20::32e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DFC35C14F695 for <acme@ietf.org>; Tue, 5 Mar 2024 09:57:31 -0800 (PST)
Received: by mail-ot1-x32e.google.com with SMTP id 46e09a7af769-6e4de6fb7f9so2376923a34.0 for <acme@ietf.org>; Tue, 05 Mar 2024 09:57:31 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=letsencrypt.org; s=google; t=1709661451; x=1710266251; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=YjTUmHoj+IrWE+mR3F7TdJjQDtjkmEdOQj3DZ0CdEmA=; b=OJWwbbMgVwvxS7nj8Yxq8SF4G2x2RKLtqbfh5zoOJ3qYzlQdKTiSJiHikoQ+EXdKoC rnpoz3PKnNwIzA8rZ4ecmFIImjJv+YbThZ+rYAuXlw2U8z7EPiX8sXHTamT1D9SczY/0 Dm9Cd1llDcecS+XuAzURIqPqJGrPdNFY5+yV4=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1709661451; x=1710266251; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=YjTUmHoj+IrWE+mR3F7TdJjQDtjkmEdOQj3DZ0CdEmA=; b=JUdHhZSupc/YkTCZeZ853s23Rz1JT5jOMu59Q9qiBiAj+iEfFUcG5U2tZ1vvlk+wnj 9LlDFnuSZa6JLXAhL+PC4MgKabsZOE+NY2mILTk2UlD1cB4xSIAz6FsbgDACReOugs0E E9/oDZlh667nIgwMeRVhNDKlYO0IxjSW26OQU2Co4W++Lza1IGrABVQFkDko0fOSnjao qCf2KrF1jL6sQeg0lTf46m7w0PZHlnP/YIOk9CX5qffyCbKsuLk4BLgq+jahwMnGN5qQ 0pZ9LEkheKMABupwPKo+OODIHlzrNBcEBDfkWz0PKT7OfSa/ZZVZxR5Qv+WABjSkjb81 8KhA==
X-Forwarded-Encrypted: i=1; AJvYcCVWASfHebyOVp0XDwdzP6ewFzgLWYT07IfUA+YRGcaC2QVxXsn73tm1VIvaKKF5F654PUXKv4xOf2EjWWo+
X-Gm-Message-State: AOJu0YzAg2/mzNTzoIutXIhS+iTJMHWjmD/GCNPRJYgiN5vMD31DHq+L pCq9LK6skn6NP+R7/3gr2dRa7II0mHDjJvVZhCOeOT3yfCW4ArDpip2ynXFOUi2GbZ/u9hNMX+5 yU6zJGQoyLZWbJGiHAVRBMPclA5dEJ2Yz4q2QFQ==
X-Google-Smtp-Source: AGHT+IF3imG8rx+XhC4aX7VlMs041fyjBer2TU1bzMH/QvoV2f2/BfknxuVmY95Amx2L5juhxaYr10OYZU8uURHu3+o=
X-Received: by 2002:a05:6870:4711:b0:21e:a2c0:fd1 with SMTP id b17-20020a056870471100b0021ea2c00fd1mr2517966oaq.34.1709661450827; Tue, 05 Mar 2024 09:57:30 -0800 (PST)
MIME-Version: 1.0
References: <170742607913.20668.4615074555122263660@ietfa.amsl.com> <D16919B8-E602-4DA0-AF0A-D02EC327F019@redhoundsoftware.com> <CAEmnEreT3MGMr7rEMDJf4D6dMyRt+AU0ySyPtby8b_t9ZheX7g@mail.gmail.com> <MW4PR17MB4729071AE21E323305858391AA592@MW4PR17MB4729.namprd17.prod.outlook.com>
In-Reply-To: <MW4PR17MB4729071AE21E323305858391AA592@MW4PR17MB4729.namprd17.prod.outlook.com>
From: Aaron Gable <aaron@letsencrypt.org>
Date: Tue, 05 Mar 2024 09:57:20 -0800
Message-ID: <CAEmnErcwYwCV0d8AHAY0kD=PXTcL9xAE6sABexn5OgG8Gb=sdg@mail.gmail.com>
To: Rob Stradling <rob=40sectigo.com@dmarc.ietf.org>, "Salz, Rich" <rsalz@akamai.com>
Cc: Carl Wallace <carl@redhoundsoftware.com>, "acme@ietf.org" <acme@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000768e270612ed93f0"
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/BMLVVZ6hP38R17ndN1McP_oc3K8>
Subject: Re: [Acme] I-D Action: draft-ietf-acme-ari-03.txt
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Mar 2024 17:57:35 -0000
Apologies for the late reply, I've been on vacation. On Tue, Feb 27, 2024 at 3:05 AM Rob Stradling <rob= 40sectigo.com@dmarc.ietf.org> wrote: > Carl wrote: > > If this mechanism only applies to certs that conform to a profile that > requires presence of key identifier in the AKID extension, state that up > front. > > I think this is a reasonable request. > > Aaron wrote: > > RFC 5280 requires both that the AKID extension be present and that the > keyIdentifier field be present within it > > I think it's worth pointing this out too. > Agreed on both counts, I've filed https://github.com/aarongable/draft-acme-ari/issues/59 to make sure I clarify this in the document. On Tue, Feb 27, 2024 at 6:30 AM Salz, Rich <rsalz@akamai.com> wrote: > Or you could break it into multiple sentences. > > The unique identifier is constructed by concatenating the > base64url-encoding of the bytes of the keyIdentifier field of certificate's > Authority Key Identifier (AKI) extension, a literal period, and the > base64url-encoding of the bytes of the DER encoding of the certificate's > Serial Number (without the tag and length bytes). The encoding is defined > in Section 5 of [RFC4648] and the AKI extension is defined in Section > 4.2.1.1 of [RFC5280]. > Thanks for the suggestion, I'll continue workshopping this phrasing. Thanks again all, Aaron >
- [Acme] I-D Action: draft-ietf-acme-ari-03.txt internet-drafts
- Re: [Acme] I-D Action: draft-ietf-acme-ari-03.txt Carl Wallace
- Re: [Acme] I-D Action: draft-ietf-acme-ari-03.txt Aaron Gable
- Re: [Acme] I-D Action: draft-ietf-acme-ari-03.txt Carl Wallace
- Re: [Acme] I-D Action: draft-ietf-acme-ari-03.txt Salz, Rich
- Re: [Acme] I-D Action: draft-ietf-acme-ari-03.txt Salz, Rich
- Re: [Acme] I-D Action: draft-ietf-acme-ari-03.txt Rob Stradling
- Re: [Acme] I-D Action: draft-ietf-acme-ari-03.txt Aaron Gable