[Acme] [Errata Held for Document Update] RFC8555 (6950)
RFC Errata System <rfc-editor@rfc-editor.org> Fri, 22 March 2024 15:01 UTC
Return-Path: <wwwrun@rfcpa.amsl.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8662BC1519AC; Fri, 22 Mar 2024 08:01:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.657
X-Spam-Level:
X-Spam-Status: No, score=-1.657 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.249, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tQ_qm9p1gF5a; Fri, 22 Mar 2024 08:01:54 -0700 (PDT)
Received: from rfcpa.amsl.com (rfcpa.amsl.com [50.223.129.200]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B4CB9C1654EC; Fri, 22 Mar 2024 08:01:54 -0700 (PDT)
Received: by rfcpa.amsl.com (Postfix, from userid 499) id AAF2A5BDCA4; Fri, 22 Mar 2024 08:01:54 -0700 (PDT)
To: lloyd.wood@yahoo.co.uk, rlb@ipv.sx, jsha@eff.org, cpu@letsencrypt.org, jdkasten@umich.edu
From: RFC Errata System <rfc-editor@rfc-editor.org>
Cc: debcooley1@gmail.com, iesg@ietf.org, acme@ietf.org, rfc-editor@rfc-editor.org
Content-Type: text/plain; charset="UTF-8"
Message-Id: <20240322150154.AAF2A5BDCA4@rfcpa.amsl.com>
Date: Fri, 22 Mar 2024 08:01:54 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/FEqmxerPYmxZiNjymVHj4hOWrcs>
Subject: [Acme] [Errata Held for Document Update] RFC8555 (6950)
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Mar 2024 15:01:58 -0000
The following errata report has been held for document update for RFC8555, "Automatic Certificate Management Environment (ACME)". -------------------------------------- You may review the report below and at: https://www.rfc-editor.org/errata/eid6950 -------------------------------------- Status: Held for Document Update Type: Technical Reported by: Lloyd Wood <lloyd.wood@yahoo.co.uk> Date Reported: 2022-05-02 Held by: Deb Cooley (IESG) Section: GLOBAL Original Text ------------- token (required, string): A random value that uniquely identifies the challenge. This value MUST have at least 128 bits of entropy. Corrected Text -------------- token (required, string): A random value that uniquely identifies the challenge. This value MUST have at least 128 bits of entropy, which in the base64url alphabet means a minimum string length of 22 characters if the full scope of the base64url alphabet is in use in the token, by: log2(64^22) = 132 bits of entropy Notes ----- This standards-track document doesn't specify the string ramifications for entropy; I'd expect it to be called out to implementers, just the once, and then referred to later at other tokens. If entropy is log2 the number of possible characters (64 if full base64url set of chars is in use) then log2 (64^21) = 126 log2 (64^22) = 132 so a minimum of 22 characters are needed to get a minimum of 128 bits of entropy in the token. But, if the random value is specified using a subset of the base64url, say because the implementer doesn't like or use CAPITALS or (most likely) the punctuation symbols, then the token must necessarily be longer to meet the local implementer entropy requirement (though just losing only the punctuation marks means you're still good and meet the requirement with 22 characters). Not sure that matters so much on the wire. I also have editing nits about base64url being defined clearly in ABNF just for Replay-Nonce:, but then both 'base64 alphabet' and 'base64url alphabet' are in use in the document, and base64url references are to RFC4648 via RFC7515, but those are to Base64url, not to base64url... it all seems a bit inconsistent editingwise. So all the references to 'base64 alphabet' should be to 'base64url alphabet' as defined in the doc, but it should really be 'Base64url alphabet' to be consistent with references? (I really think that it should have been called 'Base-64_url alphabet' way back when to enphasise the punctuation use, but that ship has sailed.) To me, 'base64 alphabet' is the a-zA-Z subset of base64... I think the document could be much clearer in this regard, and I hope any doc revisions taking into account all the other errata raised consider this too. My thanks to Lee Maguire for pointing much of this out. -------------------------------------- RFC8555 (draft-ietf-acme-acme-18) -------------------------------------- Title : Automatic Certificate Management Environment (ACME) Publication Date : March 2019 Author(s) : R. Barnes, J. Hoffman-Andrews, D. McCarney, J. Kasten Category : PROPOSED STANDARD Source : Automated Certificate Management Environment Stream : IETF Verifying Party : IESG
- [Acme] [Errata Held for Document Update] RFC8555 … RFC Errata System