Re: [Acme] Secdir last call review of draft-ietf-acme-star-delegation-06
Thomas Fossati <Thomas.Fossati@arm.com> Sun, 14 March 2021 22:59 UTC
Return-Path: <Thomas.Fossati@arm.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 545C83A00E5; Sun, 14 Mar 2021 15:59:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=8AcHFQEM; dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=8AcHFQEM
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PsUHg2WjI34T; Sun, 14 Mar 2021 15:59:05 -0700 (PDT)
Received: from EUR05-DB8-obe.outbound.protection.outlook.com (mail-db8eur05on2055.outbound.protection.outlook.com [40.107.20.55]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0E3833A006A; Sun, 14 Mar 2021 15:59:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=qKItXiKc4WIC8fShJmG24EgfDCKAbm41aC89SEBCwsU=; b=8AcHFQEMhNE6mxglKf3r/BR0IfeuUejGSDg72NhPqXMiVExT+65Xu4cHcIGkItI0YZmg6ooIbL7KRsfNsooUdxrFwM2WxCzo/Hfbn9eWtLvOjRVzNZD6obyMXs3+VhjhQSJL/HoOCpHbt8o/xpo1QKXuKd8FPJGypws0CD6BdIs=
Received: from AM0PR03CA0106.eurprd03.prod.outlook.com (2603:10a6:208:69::47) by AM8PR08MB5714.eurprd08.prod.outlook.com (2603:10a6:20b:1dd::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3933.32; Sun, 14 Mar 2021 22:58:59 +0000
Received: from VE1EUR03FT033.eop-EUR03.prod.protection.outlook.com (2603:10a6:208:69:cafe::70) by AM0PR03CA0106.outlook.office365.com (2603:10a6:208:69::47) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3933.32 via Frontend Transport; Sun, 14 Mar 2021 22:58:59 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; ietf.org; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;ietf.org; dmarc=pass action=none header.from=arm.com;
Received-SPF: Pass (protection.outlook.com: domain of arm.com designates 63.35.35.123 as permitted sender) receiver=protection.outlook.com; client-ip=63.35.35.123; helo=64aa7808-outbound-1.mta.getcheckrecipient.com;
Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by VE1EUR03FT033.mail.protection.outlook.com (10.152.18.147) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3933.31 via Frontend Transport; Sun, 14 Mar 2021 22:58:58 +0000
Received: ("Tessian outbound 67e186bef91c:v71"); Sun, 14 Mar 2021 22:58:58 +0000
X-CheckRecipientChecked: true
X-CR-MTA-CID: 2f4e3cf752f0ecdc
X-CR-MTA-TID: 64aa7808
Received: from fbc11addd1f9.2 by 64aa7808-outbound-1.mta.getcheckrecipient.com id 27282B09-20F8-4D10-A490-D01900969C7C.1; Sun, 14 Mar 2021 22:58:52 +0000
Received: from EUR04-DB3-obe.outbound.protection.outlook.com by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id fbc11addd1f9.2 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Sun, 14 Mar 2021 22:58:52 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=RfHzpgfchD+3DpWjsRYYoJbkm90uZX8aeHUKb3m7yjUu/+DScPMntKTUdGWxxnoOS8FJAzOquB3jwSPlGf0iOJqytMWG0zh1THn2iEZoZnsqWhwtigcMZ3sIDl0H7imKHMlk//tJ9MLCHbm8rAP+DIquwR9SFnlCpwvKFBQpmRP9dY0KkrmoYagBQi7vU9GNHS9gtdPFHZJ2tPJzL5jKWMERukHFrNE5caHHOigiknYjj3a6j3TfCoG+OUPnNCKRB64aMCSQzytQFlRWZDmV1VpIb2Ac3Z62oAujRFP5dSJ1+/SrE96i1oNObqu51lkWLpAsXWUk3lla66R/bbjxIA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=qKItXiKc4WIC8fShJmG24EgfDCKAbm41aC89SEBCwsU=; b=DbKNDR1HghAfFfAvmq//SwrBfBYK7my0VA15D0qj9xmdMa8Knf8/R6IEvrN/iwrdcHMJ590hGvO8/Vxhxzvqtw4oHJZfo9GBjWsmhBv3sVHgiag+Orghh8rG15eWNk39ueouoVL2V42Qtp6n4r5PbDiOeIo5fa3gfRlbTzbmr7Jtr3PdM2Eb4lbWNQQBqcsv0m2J0gvarxG15VhDNl/ACLbDO6M91vUPnbw3yO5CEQf7FXbnY9BSTUQMwFaxd8FImzmR54jyT1rJ/lBHhEL2Z7L5VeUa9c0Va+ZRds9v4s5R4f1mm3FjVwM1e/tmKuJYDVWpYCXd3dJCKnExIn0gUA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=qKItXiKc4WIC8fShJmG24EgfDCKAbm41aC89SEBCwsU=; b=8AcHFQEMhNE6mxglKf3r/BR0IfeuUejGSDg72NhPqXMiVExT+65Xu4cHcIGkItI0YZmg6ooIbL7KRsfNsooUdxrFwM2WxCzo/Hfbn9eWtLvOjRVzNZD6obyMXs3+VhjhQSJL/HoOCpHbt8o/xpo1QKXuKd8FPJGypws0CD6BdIs=
Received: from DB9PR08MB6524.eurprd08.prod.outlook.com (2603:10a6:10:251::8) by DB9PR08MB6841.eurprd08.prod.outlook.com (2603:10a6:10:2a9::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3933.31; Sun, 14 Mar 2021 22:58:50 +0000
Received: from DB9PR08MB6524.eurprd08.prod.outlook.com ([fe80::1f5:375c:310f:7df5]) by DB9PR08MB6524.eurprd08.prod.outlook.com ([fe80::1f5:375c:310f:7df5%4]) with mapi id 15.20.3933.032; Sun, 14 Mar 2021 22:58:50 +0000
From: Thomas Fossati <Thomas.Fossati@arm.com>
To: Russ Housley <housley@vigilsec.com>, "secdir@ietf.org" <secdir@ietf.org>
CC: "acme@ietf.org" <acme@ietf.org>, "draft-ietf-acme-star-delegation.all@ietf.org" <draft-ietf-acme-star-delegation.all@ietf.org>, "last-call@ietf.org" <last-call@ietf.org>, Thomas Fossati <Thomas.Fossati@arm.com>
Thread-Topic: Secdir last call review of draft-ietf-acme-star-delegation-06
Thread-Index: AQHXGR2r2oa7NsdVgEiTKC6gi2ySeKqEGPKA
Date: Sun, 14 Mar 2021 22:58:50 +0000
Message-ID: <3DDC13CC-4789-459D-9DA2-E023BC372D8C@arm.com>
References: <161575930310.2025.16866904323712710819@ietfa.amsl.com>
In-Reply-To: <161575930310.2025.16866904323712710819@ietfa.amsl.com>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.46.21021202
Authentication-Results-Original: vigilsec.com; dkim=none (message not signed) header.d=none; vigilsec.com; dmarc=none action=none header.from=arm.com;
x-originating-ip: [82.12.10.179]
x-ms-publictraffictype: Email
X-MS-Office365-Filtering-HT: Tenant
X-MS-Office365-Filtering-Correlation-Id: 67ebd943-b39d-47fc-fc5e-08d8e73cc0bf
x-ms-traffictypediagnostic: DB9PR08MB6841:|AM8PR08MB5714:
x-ms-exchange-transport-forked: True
X-Microsoft-Antispam-PRVS: <AM8PR08MB5714B0DD926502617B2B8ADB9C6D9@AM8PR08MB5714.eurprd08.prod.outlook.com>
x-checkrecipientrouted: true
nodisclaimer: true
x-ms-oob-tlc-oobclassifiers: OLM:9508;OLM:10000;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: rWiCMWJTslK8J25h+g5UMDn4MRWINSK0QaDTN3QaJbf9jLW8wun9jLI/rwQ6EiWE5KOKirKeYayZSRJjQZlChXfFHTGN+BhZ/uoat8jOx7HdZ1RT5MMNopV5N6F3eYSlyh74Zm5vA2FUb/ZgtwdfebqrM7cNZQ9uerezu0jqcUvc7IihBUhb+HUTl11jlZO/JuMoxjru5sTs4vORaOLpUL74tuU/Sl1Gtv9DpErHiaWTOrp0WA+QFjbWyhj8KQ20VDtnyOx+e9Uhv+BoVrU2xCr6QPi+scQJ9yixuS4m5Fz8IrCZuD9TJAkpJlESEphccvjYgIn9U67zieKOUPoNZuN6xK58p1xMFT8K5IkAxKwRFEyI8Y48UIk+RdIl2HKc+AOOrUkfclkoWBuXQHzVg/pzjdRIfyRxNa+L3wcyzTZOuVNh3EhIMTQ/XO26gveaUwqX31OCv0qzHwxx3zw0e2DJr/1qKUiB/f1DNwaP+tyDgN2KhdRA92CzcKR3MBPVNIvElILiOoCfnWLKjptCBz0TT6YXH0eSXWqAsyqNHjeL8JN5C8aebMTKYZwX2UskMipP9n4+NMPM+1fJijIGnL9KadrAT8MiaIVjM73TZuV/i+1HkzF48VbT0uaa/VI+euTs7lspySxH2Q9fNYhXDpzIS52PCES5P0/kZSflhdINljcxypHVAkHMxMAiUUB6JJUvUJDjlL0niLj+Zebxkw==
X-Forefront-Antispam-Report-Untrusted: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DB9PR08MB6524.eurprd08.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(346002)(376002)(136003)(396003)(39860400002)(186003)(26005)(316002)(86362001)(966005)(66946007)(2906002)(66476007)(54906003)(110136005)(71200400001)(5660300002)(91956017)(76116006)(8936002)(4326008)(6506007)(6486002)(8676002)(33656002)(478600001)(6512007)(66446008)(64756008)(53546011)(2616005)(36756003)(83380400001)(66556008)(45980500001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: yayGkeVs5QTcGvAOrKjzH/hnk66Zyd6p2TDJHPpfBqMjPUYgupVHSdx+tIUI8qeFIX+/hP0tGjNK0Da33J+el4DCE7iIO9lRAdz/UkvMIALxZf6xU6DEgom2t7T7x/aDsz0NQ0UsVnFG2nKvp5iSdAl8sflujD/dx8IH0ZvQnIswQhg1d98Fwz7Y7Spg4nu6wMWXE/rYQW7NVTMNA2qXXy8xDBkGG6j5paeu2yHz2B6DEn4o6cn1WYCqWE2XE695GK2LkP51t8oqqBH62974F5XtZWvved9mY6daGMNpNSZC89lPy+1mDYMec3/so9LzJDogWjPIVnL7lCNss7bFg6vZGbWtuKUDCOH7JVq09AHv4q/RTaErK0daOMyFx+BdxdhQLpQt0h58os8MxTuUyh2IVnyM3975fj8Gx+esOP7eA10NuV21G8/H28tz5iqy0IWATmb5AVf7sw5mbrOhuE+0e/ovreDFth+7XXIKNDh5wDp2GYu2d6IEgea1ffUN5dq9pDg9VP1xFETZfbXepeQawOR1X9l9iGvQoFiwY1ypqQ0w4IZ2MNxJJitIjuy3ZJwp/n2/wkIfDRHfO1XuHPE1MLTxxkxeP5/ZFRYDTUYG531diEJEYeobIfxaq9qOkMF5wBqcM43uv7wpJ2nq5tezulUvFJjzNo9LYYhvqj6yFX9UqaFCR5M1yZXW9LAdCOPdgQQS3nMHsA0LvYpmShmJCOchRYvSgevpKjLJTVmTBYPJ+tiqTgHrZ7IvVI08Sag8tvkAO3/+QILhaVIp1jhuBQWXkyuRnxOplDE+Qwhvnvi2srEekR5xcJ/bIQcTpjM/tx/YcuO7GlJFAK7GVV/yCPAE7SBiyX/YZfrZTCIFAVvunCvzeffIiSBt/q7PyPOJfbIlrvMhsx+mbO9WOF6cHDrndltF68cM79fSfwkKk9CYrZz788Uel0ykOg7xrADvK6F+RV/PMJM5Pjd3jZoZfmv5ssAFPZ6pXuQSGoir7EZIJT5rRFHeoPuZXQxewBcJVIe5i2k7bVfl2gKarxuo1mUasUr9qS4NgDw01l/W9UDUhs/mjOc+u4qth7KmlzMLWjZBt1NuDhiYoLD/t1bp4frp9I09T7oMSNlit2nCIFewxwzL38ycArYfiuswyl5QwBpZG8O0jnH6yYwRylk3YeJu/v7xAjsAcImAECvjKqqGGAXQE99zqwztZg86GUVxkn9ccQKOBM1tFNg/xDZsE6rR/ho0o56t6LAOx59wO1PszAzf+RW8RzJcpIhCAkAJ0LV1su0JYqUxnDLMtt0CdVhvH/KfGx1B9bVqI3HgMWsg3GbGk9A2Mt1wGZpt
Content-Type: text/plain; charset="utf-8"
Content-ID: <FBD2C26D6D45E145A79CA9FA5F44A590@eurprd08.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB9PR08MB6841
Original-Authentication-Results: vigilsec.com; dkim=none (message not signed) header.d=none; vigilsec.com; dmarc=none action=none header.from=arm.com;
X-EOPAttributedMessage: 0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: VE1EUR03FT033.eop-EUR03.prod.protection.outlook.com
X-MS-Office365-Filtering-Correlation-Id-Prvs: 2053cbf6-b4cb-479b-9546-08d8e73cbbbb
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: vtHR5dp6pbpMeUkGY37RzxsBbFjWb2qXJKvsaSGg55jeHuKFO2rZZcLj3orxCdbWM2rOJ9k+wZ3P4CIb6BdOy4Bbw+WEU56XGm+qY3InH5AiP6RzVxwZMq5F9gk/WRjI0Vc2UX94kbQ2VNWeU9gi4HlgMMcKndMrJ7MAi0vVNmE1IWn81ivvcPgNUH6DCK+7R/V6S5mMkc50A/TxNeYLLZYRQSvACy42TPqAs0bvt11ThhsnnMKkACCGWnnHyskRHpeDET7Vy2/GcRcUC7+SSAWcDQxPOcFt3AMeh6//K/HzBz/xpKnxFP4u1GOvtm5PIQaw4D0Agj2dHrvHDvu2/Np03iLs/7g6b+jxH6Y7iBqzSVVojfo6WTko2zGF6/xHT2eXS4v8ialkT1mrZymVuTZpy/UpqXI4cR/4f8yJoDnPe3LG00M+JJ7Kp9jhFKG0e3XYmklS/xzWeReglrcxxUiLrIz5fPqFUmKf/0OF2vQKRARE17ywL/YsLkLZTgzUFe6BMWjYcAuPMMCR05pfH+ZEZP+bcfQaaJvQO+rimvC8pVSOAbhp6k7hEfpwSnpVei1ooG6v+tFZX6cm/f4P/02aSBwQX6HWerewTQiP6l46fhT4aCv/v5B1FUJUt4KNa9OxQwQxViDoPpCR/lR0UKz44s0y3/laRbOSe825soqD8nlK0wnn/w4vz8LNmWpt8nDpFI8wdau0XniGllKMfNTOBmpQtj75vwWFJ1ZGEZ8=
X-Forefront-Antispam-Report: CIP:63.35.35.123; CTRY:IE; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:64aa7808-outbound-1.mta.getcheckrecipient.com; PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com; CAT:NONE; SFS:(4636009)(346002)(136003)(39860400002)(376002)(396003)(36840700001)(46966006)(966005)(26005)(316002)(5660300002)(6506007)(53546011)(110136005)(2906002)(186003)(54906003)(478600001)(70206006)(2616005)(4326008)(86362001)(8936002)(8676002)(6512007)(6486002)(83380400001)(81166007)(36756003)(36860700001)(336012)(70586007)(450100002)(47076005)(82740400003)(33656002)(82310400003)(356005); DIR:OUT; SFP:1101;
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 14 Mar 2021 22:58:58.8227 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 67ebd943-b39d-47fc-fc5e-08d8e73cc0bf
X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d; Ip=[63.35.35.123]; Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com]
X-MS-Exchange-CrossTenant-AuthSource: VE1EUR03FT033.eop-EUR03.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM8PR08MB5714
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/BjcOu89nKIaT53tl0B-4bYDfu9Q>
Subject: Re: [Acme] Secdir last call review of draft-ietf-acme-star-delegation-06
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 14 Mar 2021 22:59:08 -0000
Hi Russ, Thanks very much for your clear and thorough review! Your comments are now tracked in the following tickets: On 14/03/2021, 22:02, "Russ Housley via Datatracker" <noreply@ietf.org> wrote: > Abstract: It says: "... party access to a certificate associated with > said identifier." This is odd wording, and it is incorrect. The > party needs access to the private key that corresponds to the public > key in the certificate, and the certificate needs to contain the > subject for "said identifier". Clearly, all of that should not go in > the Abstract, but what does appear in the Abstract needs to be > technically accurate. https://github.com/yaronf/I-D/issues/139 > Section 1 says: "... name matches the authority ...". I find this > description confusing. I think it would be more clear to say that the > cache server needs to present a certificate whose subject name matches > the domain name of the URL that is requested. The current wording is > very easy to confuse name of the Certification Authority. https://github.com/yaronf/I-D/issues/140 > Section 1 says: > > While the primary use case we address is delegation of STAR > certificates, the mechanism proposed here accommodates any > certificate managed with the ACME protocol. See Section 2.4 for > details. > > This is not much of a hint that long-term certificates are supported > in addition to STAR certificates. Further, a hint about the handling > of revocation is appropriate here. Support for long-lived > certificates is in conflict with the title of the document. Please > adjust the title of the document accordingly. https://github.com/yaronf/I-D/issues/141 > Section 2.3.2 says: "Besides, when delegation is for a STAR > certificate, ..." (in four places in this section). I find this part > of the document structure a bit confusing. Maybe it is the lask ot > adequate warning about support for long-lived certificates. Maybe it > the the mixing of STAR certificate and long-lived certificate > processing in one section. I suggest that separate sections be used > to present STAR certificate and long-lived certificate processing https://github.com/yaronf/I-D/issues/142 > In Section 2.3.4, the text is begging for one more sentence. Please > say something about the fact that the STAR certificate will expire > shortly after the automatic renewal process is stopped by the IdO. https://github.com/yaronf/I-D/issues/143 > Section 2.4 is not sufficient to explain the revocation processing. > Only the NDC has the private key needed to make the ACME revocation > request, but this does not get stated in the text. Also, it is not > clear to me how the NDC knows where to send the revocation request > since the IdO is the ACME account owner. In addition, the phrase > "would create a self-inflicted DoS" needs more explanation. https://github.com/yaronf/I-D/issues/144 > Section 5.6 registers a string name for each extendedKeyUsage OID. > There should be a way to provide the OID in dotted decimal format as > well. New OIDs are being assigned all the time, and some of them may > not be registered with IANA. https://github.com/yaronf/I-D/issues/145 > Section 5.6 registers a string name for each type of subjectAltName. > This include otherName, which are identified by an OID. New OIDs are > being assigned all the time. For example, draft-ietf-anima-autonomic- > control-plane-30 creates a new otherName. There should be a way to > provide the the otherName OID in dotted decimal format as well. https://github.com/yaronf/I-D/issues/146 > Minor Concerns: > > Abstract: Please spell out ACME, CDN, and STAR. These are not marked > as "well known" in the RFC Editor abbreviation expansion list. > > Section 1.1: Please change CA to "Certification Authority". See > Section 3 of RFC 5280. This changes is also needed elsewhere in the > document. > > Section 1.1: Please add CDNI, uCDN, dCDN, PASSPorT, CSR and FQDN to > the list of terms. https://github.com/yaronf/I-D/issues/147 > Section 1 describes [I-D.mglt-lurk-tls13] as an ongoing effort. This > is not accurate. The LURK BoF did not lead to a WG or an effort in an > existing WG. I think the best way forward is to drop this reference. https://github.com/yaronf/I-D/issues/148 > Nits: > > Section 2 says: "... in this draft ...". Please use a work that will > still be appropriate when this document becomes an RFC. > > Section 2.4: s/Sec. 7.6/Section 7.6/ (and many other places) https://github.com/yaronf/I-D/issues/149 > IDnits reports: > > ** There are 3 instances of too long lines in the document, the > longest one being 4 characters in excess of 72. > > == There are 4 instances of lines with non-RFC6890-compliant IPv4 > addresses in the document. If these are example addresses, they > should be changed. > > [I suspect these are not IPv4 addresses, but OIDs in dotted decimal.] https://github.com/yaronf/I-D/issues/150 We'll be back to you as soon as we have addressed them or for further clarifications, if needed. Cheers, and thanks again. IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
- [Acme] Secdir last call review of draft-ietf-acme… Russ Housley via Datatracker
- Re: [Acme] Secdir last call review of draft-ietf-… Thomas Fossati
- Re: [Acme] Secdir last call review of draft-ietf-… Russ Housley
- Re: [Acme] Secdir last call review of draft-ietf-… Thomas Fossati
- Re: [Acme] Secdir last call review of draft-ietf-… Russ Housley
- Re: [Acme] Secdir last call review of draft-ietf-… Yaron Sheffer
- Re: [Acme] Secdir last call review of draft-ietf-… Russ Housley
- Re: [Acme] Secdir last call review of draft-ietf-… Thomas Fossati
- Re: [Acme] Secdir last call review of draft-ietf-… Russ Housley
- Re: [Acme] Secdir last call review of draft-ietf-… Thomas Fossati