[Acme] Secdir last call review of draft-ietf-acme-authority-token-tnauthlist-07

Nancy Cam-Winget via Datatracker <noreply@ietf.org> Thu, 25 March 2021 22:22 UTC

Return-Path: <noreply@ietf.org>
X-Original-To: acme@ietf.org
Delivered-To: acme@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id A41C43A0C5B; Thu, 25 Mar 2021 15:22:51 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: Nancy Cam-Winget via Datatracker <noreply@ietf.org>
To: <secdir@ietf.org>
Cc: acme@ietf.org, draft-ietf-acme-authority-token-tnauthlist.all@ietf.org, last-call@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 7.27.0
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <161671097161.19931.2101173557579231370@ietfa.amsl.com>
Reply-To: Nancy Cam-Winget <ncamwing@cisco.com>
Date: Thu, 25 Mar 2021 15:22:51 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/EGQ12q620gUjjQc6hilKg-6pDhY>
Subject: [Acme] Secdir last call review of draft-ietf-acme-authority-token-tnauthlist-07
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Mar 2021 22:22:52 -0000

Reviewer: Nancy Cam-Winget
Review result: Has Nits

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors.  Document editors and WG chairs should treat
these comments just like any other last call comments.

This document describes the extensions to ACME to allow for a third party Token
Authority also act as the authority and authorization of entities to control a
resource; the use case and motivating scenario described in the draft is for a
telephone authority to be the authority for creating CA types of certificates
for (STIR) delegation.  The document assumes full knowledge of a set of drafts
and is straightforward.  I only have a couple of nits but otherwise I think it
is ready.

NITs:
Section 5.2: the "exp" claim is mute on SHOULD vs MUST, it seems that you would
want to have such a claim so minimally a SHOULD?

Section 5.3: is this optional, may or must?

Section 5.4: personal nit, the section should specify this claim to be a MUST,
it is implicitly stated but would prefer it to be explicit.

Section 6:
 -I presume that "verify the atc field" is actually verifying that the
 TNAuthList token is valid?