Re: [Acme] ACME draft is now in WGLC.
housley@vigilsec.com Sat, 11 February 2017 22:36 UTC
Return-Path: <housley@vigilsec.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3A87D129580 for <acme@ietfa.amsl.com>; Sat, 11 Feb 2017 14:36:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h_0evPyx0z2d for <acme@ietfa.amsl.com>; Sat, 11 Feb 2017 14:36:56 -0800 (PST)
Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B779E129548 for <acme@ietf.org>; Sat, 11 Feb 2017 14:36:54 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id E0A5730041D for <acme@ietf.org>; Sat, 11 Feb 2017 17:36:53 -0500 (EST)
X-Virus-Scanned: amavisd-new at mail.smeinc.net
Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id 415_etHs_0ao for <acme@ietf.org>; Sat, 11 Feb 2017 17:36:51 -0500 (EST)
Received: from mail.smeinc.net (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTPSA id D37C4300293; Sat, 11 Feb 2017 17:36:51 -0500 (EST)
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Content-Transfer-Encoding: 7bit
Date: Sat, 11 Feb 2017 17:36:51 -0500
From: housley@vigilsec.com
To: "Salz, Rich" <rsalz@akamai.com>
In-Reply-To: <8473d9ba84894d49b2f2232370d66b46@usma1ex-dag1mb3.msg.corp.akamai.com>
References: <8473d9ba84894d49b2f2232370d66b46@usma1ex-dag1mb3.msg.corp.akamai.com>
Message-ID: <3eac78aafc08b23b3bbe1949dd34bc0e@vigilsec.com>
X-Sender: housley@vigilsec.com
User-Agent: Roundcube Webmail
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/F53poqhxw1qp32ssq21QEDMv1Vc>
Cc: acme@ietf.org
Subject: Re: [Acme] ACME draft is now in WGLC.
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 11 Feb 2017 22:36:58 -0000
> From: IETF Secretariat [mailto:ietf-secretariat-reply@ietf.org] > Sent: Tuesday, February 07, 2017 12:26 PM > To: draft-ietf-acme-acme@ietf.org; acme-chairs@ietf.org > Subject: IETF WG state changed for draft-ietf-acme-acme > > > The IETF WG state of draft-ietf-acme-acme has been changed to "In WG > Last Call" from "WG Document" by Rich Salz: > > https://datatracker.ietf.org/doc/draft-ietf-acme-acme/ Please use the terminology from RFC 5280. Throughout the document: s/certificate authority/certification authority/ s/issuing authority/certificate issuer/ Also, please use the correct expansion for PKIX (PKI using X.509). In Section 1, please define ACME. Also in Section 1: s/Certificates in the Web PKI [RFC5280]/Certificates [RFC5280] in the Web PKI/ In Section 5.1, I think it is desirable to add a requirement that the ACME server SHOULD OCSP Staple. In Section 5.2, please repeat the reference for the JWS specification at the front of this section. Section 5.2 says: In the examples below, JWS objects are shown in the JSON or flattened JSON serialization, with the protected header and payload expressed as base64url(content) instead of the actual base64-encoded value, so that the content is readable. Some fields are omitted for brevity, marked with "...". The example is above this text (below), and there is no "..." in it. In Section 5.5, please add a MUST statement about the size of the nonce value (before base64url encoding). In Section 6.1.1, how does the key-change entry in the table in section 6.1.1 relate to the figure in Section 6.1? The other entries in this table seem to have an obvious companion in the figure. I think the figure should to show how the key-change is used update the acct. Section 6.1.1: s/function as both an ACME/functions as both an ACME/ Section 6.1.1 says: "caa-identities" (optional, array of string): Each string MUST be a lowercase hostname ... How are IDNs handled? Are all U-labels converted to A-labels? Section 6.1.2: s/associated to an account/associated with an account/ Section 6.1.3 says: status (required, string): The status of this order. Possible values are: "pending", "processing", "valid", and "invalid". Should the list of possible status strings should also include "expired"? If not, the text should say that the status will be set to invalid if the authorizations are not accomplished before the expiration time. Section 6.1.4 says: scope (optional, string): If this field is present, then it MUST contain a URI for an order resource, such that this authorization is only valid for that resource. If this field is absent, then the CA MUST consider this authorization valid for all orders until the authorization expires. [[ Open issue: More flexible scoping? ]] This scoping seems fine. Please remove the [[ question ]]. Section 6.1.4 says: ... Servers MUST verify any identifier values that begin with the ASCII Compatible Encoding prefix "xn-" as defined in [RFC5890] are properly encoded. ... I think you want to require the A-labels to be converted to U-labels and back again, and then reject the label if the converted A-label does not match the original A-label. In Section 6.3.3, the list of steps clearly includes checking the signature on the inner JWS in step 4, but I do not see a step that checks the signature on the outer JWS. I think the both signature checks need to be explicit in the steps. Is an additional subsection in Section 6.3 needed to deal with lost account signature private keys? I assume that some out-of-band mechanism would be needed to delete the account so that a new one can be created. Section 6.4.2 says: The default format of the certificate is PEM (application/x-pem-file) as specified by [RFC7468]. ... The client may request other formats by including an Accept header in its request. For example, the client may use the media type application/pkix-cert to request the end- entity certificate in DER format. RFC 7468 defines the textual encoding for certificates, but it does not define the application/x-pem-file media type. I cannot find a registration for the application/x-pem-file media type. Also, please add a reference to RFC 2585; it specifies the application/pkix-cert media type. In Section 6.5, should the example use different challenges for "http-01", "tls-sni-02", and "dns-01"? Section 7.2: s/in A and AAAA records/in the DNS A and AAAA resource records/ Section 7.3: s\by an A/AAAA record\by the DNS A and AAAA resource records\ In Section 8.2, I cannot understand the figure. Please correct it. Section 9.1: s/man in the middle/man-in-the-middle (MitM)/ Russ
- [Acme] ACME draft is now in WGLC. Salz, Rich
- Re: [Acme] ACME draft is now in WGLC. Jacob Hoffman-Andrews
- Re: [Acme] ACME draft is now in WGLC. Salz, Rich
- Re: [Acme] ACME draft is now in WGLC. housley
- Re: [Acme] ACME draft is now in WGLC. Martin Thomson
- Re: [Acme] ACME draft is now in WGLC. Anders Rundgren
- Re: [Acme] ACME draft is now in WGLC. Salz, Rich
- Re: [Acme] ACME draft is now in WGLC. Russ Housley
- Re: [Acme] ACME draft is now in WGLC. Jacob Hoffman-Andrews
- Re: [Acme] ACME draft is now in WGLC. Anders Rundgren
- Re: [Acme] ACME draft is now in WGLC. Viktor Dukhovni
- Re: [Acme] ACME draft is now in WGLC. Viktor Dukhovni
- Re: [Acme] ACME draft is now in WGLC. Salz, Rich
- Re: [Acme] ACME draft is now in WGLC. Viktor Dukhovni
- Re: [Acme] ACME draft is now in WGLC. Salz, Rich
- Re: [Acme] ACME draft is now in WGLC. Jacob Hoffman-Andrews
- Re: [Acme] ACME draft is now in WGLC. Viktor Dukhovni
- Re: [Acme] ACME draft is now in WGLC. Hugo Landau
- Re: [Acme] ACME draft is now in WGLC. Richard Barnes
- Re: [Acme] ACME draft is now in WGLC. Phillip Hallam-Baker
- Re: [Acme] ACME draft is now in WGLC. Richard Barnes