Re: [Acme] Alexey Melnikov's No Objection on draft-ietf-acme-acme-14: (with COMMENT)
Daniel McCarney <cpu@letsencrypt.org> Wed, 29 August 2018 16:07 UTC
Return-Path: <dmccarney@letsencrypt.org>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EEA60130E91 for <acme@ietfa.amsl.com>; Wed, 29 Aug 2018 09:07:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.01
X-Spam-Level:
X-Spam-Status: No, score=-2.01 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=letsencrypt.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kAk7GHznO5kg for <acme@ietfa.amsl.com>; Wed, 29 Aug 2018 09:07:25 -0700 (PDT)
Received: from mail-it0-x22d.google.com (mail-it0-x22d.google.com [IPv6:2607:f8b0:4001:c0b::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 04C30130DE6 for <acme@ietf.org>; Wed, 29 Aug 2018 09:07:22 -0700 (PDT)
Received: by mail-it0-x22d.google.com with SMTP id h1-v6so5922572itj.4 for <acme@ietf.org>; Wed, 29 Aug 2018 09:07:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=letsencrypt.org; s=google; h=mime-version:reply-to:in-reply-to:references:from:date:message-id :subject:to:cc; bh=TCBtk3VaxYkt6NqLJTIkuS4g8aYp9sZh451PRLkpmTU=; b=VL8InPr591Qg71XFGsgPBbmqWxwt1jAOrrnb4ciN6anOy3W5PK7JOntZ8BAYjelNfc uu5neQeNW2Br8Uz+vAYrAlPwtQ4e246LNzsT6RQ06RK7INSbhaKX+5Oh0S+5YZDOH9gM 7EXRBVi8b7jX+uVg+VbG1zS/8bi4dkY/hG5RA=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:reply-to:in-reply-to:references :from:date:message-id:subject:to:cc; bh=TCBtk3VaxYkt6NqLJTIkuS4g8aYp9sZh451PRLkpmTU=; b=KFbQLUiZnxrc9RW3NxebxpbWTNhzfG0VqTThjeavu2iwgjcOL6vrS6Wz6BCXtYY3to +ftbzps4I9Gu5CxnoR9CQqmVVWckojxmV9ADo4ywarkp7wT4HrGIJ/FCDeOlcKJxTynY aVXJ2vlROqmCjeLePaA4f1osM7cV4y127sJ/YaxhDoiHMhAgl0ONrADMDjcse9caMByL lNsV30QKTQ6ASWqMmLvftMKBQdmJ65uXdEKLzNEt1j5NCeSej7TKxa4JdBMeb/80pkap Sb1TzZbSi1yzEERLEIaXiRCOZwgWRwyp83HjkxTSaFp+bj9UhxZF3kBeSO/3uYxW8QC+ yrjA==
X-Gm-Message-State: APzg51CwaVMCnyrsT976+FsYgqNv/cm5oE10iA4jUfnDQgvjfITR3D4b 8uBsDPza6t3On8zmbL2TcbnQPA19J+EtixfRezFvsA==
X-Google-Smtp-Source: ANB0VdYRVmOevh+M0zoAAM1R2YOZj/LMcLgYKYWfiJGUWddOtNZKJk2wIjYP1DvgYp1HqehFw1yoG6do5hn+NPeRTQI=
X-Received: by 2002:a24:41e9:: with SMTP id b102-v6mr6007121itd.19.1535558841938; Wed, 29 Aug 2018 09:07:21 -0700 (PDT)
MIME-Version: 1.0
Reply-To: cpu@letsencrypt.org
Received: by 2002:a6b:20d4:0:0:0:0:0 with HTTP; Wed, 29 Aug 2018 09:07:21 -0700 (PDT)
In-Reply-To: <bcff02b8-7dc9-9606-1e73-2b1ba3bb76e1@isode.com>
References: <153554127552.14913.5752261334380280625.idtracker@ietfa.amsl.com> <CAL02cgRZsexAbNhwb08ROxTSYLqpJEJv2D9-s-sdkZx6SumPOg@mail.gmail.com> <bcff02b8-7dc9-9606-1e73-2b1ba3bb76e1@isode.com>
From: Daniel McCarney <cpu@letsencrypt.org>
Date: Wed, 29 Aug 2018 12:07:21 -0400
Message-ID: <CAKnbcLikPk7vxrJdRT1bAqbOkBy7kLwyA5ToFKYFJfiVNCS7xg@mail.gmail.com>
To: Alexey Melnikov <alexey.melnikov@isode.com>
Cc: Richard Barnes <rlb@ipv.sx>, Alexey Melnikov <aamelnikov@fastmail.fm>, draft-ietf-acme-acme@ietf.org, IETF ACME <acme@ietf.org>, The IESG <iesg@ietf.org>, Yoav Nir <ynir.ietf@gmail.com>, "<acme-chairs@ietf.org>" <acme-chairs@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000004e546205749527ab"
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/HBbsCQFHvIdR-EpePS5qBwgdT7A>
Subject: Re: [Acme] Alexey Melnikov's No Objection on draft-ietf-acme-acme-14: (with COMMENT)
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Aug 2018 16:07:28 -0000
> > > I think SHOULD basically makes redirects non interoperable. I think a > bit more text explaining why SHOULD or change this to MUST. Also, if there > are some security issues related to redirects, adding a pointer here would > be good. > I'm slightly adverse to changing this to a MUST. There's been some recent discussion[0] on redirects in domain validation by the CA/Browser Forum validation working group that makes it pretty clear there isn't a universal agreement on how CA's should handle redirects. While I disagree with the proposals to ban following redirects outright there is a possibility that consensus goes that direction and a MUST for processing redirects in ACME could be problematic. Unfortunately I think this is a case where some CAs will decide following redirects in certain conditions is acceptable and where other CAs will decide to never follow a redirect and ACME shouldn't prescribe CA policy. I understand that this makes provisioning a challenge response such that it will be inter-operable with all ACME CAs more difficult but there are a number of ways I expect this would be challenging beyond support for redirects (e.g. one CA may heed the recommendation to use DNSSEC and one may not. A challenge response provisioned behind a domain with an invalid DNSSEC configuration would not interoperate). [0] - https://cabforum.org/pipermail/validation/2018-August/000990.html On Wed, Aug 29, 2018 at 11:26 AM, Alexey Melnikov <alexey.melnikov@isode.com > wrote: > Hi Richard, > On 29/08/2018 16:03, Richard Barnes wrote: > > Hi Alexey, > > Thanks for the comments. A couple of replies are below; resulting edits > are in this PR: > > https://github.com/ietf-wg-acme/acme/pull/442 > > > I deleted comments where we are in agreement. More comments below: > > > --Richard > > > On Wed, Aug 29, 2018 at 7:14 AM Alexey Melnikov <aamelnikov@fastmail.fm> > wrote: > >> Alexey Melnikov has entered the following ballot position for >> draft-ietf-acme-acme-14: No Objection >> >> When responding, please keep the subject line intact and reply to all >> email addresses included in the To and CC lines. (Feel free to cut this >> introductory paragraph, however.) >> >> >> Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html >> for more information about IESG DISCUSS and COMMENT positions. >> >> >> The document, along with other ballot positions, can be found here: >> https://datatracker.ietf.org/doc/draft-ietf-acme-acme/ >> >> >> >> ---------------------------------------------------------------------- >> COMMENT: >> ---------------------------------------------------------------------- >> >> Thank you for this very important document. I would like to switch to >> "Yes", >> but please first review and respond to my comments: >> >> First mentions of JSON and HTTPS need references. >> >> 6.4.1. Replay-Nonce >> >> The "Replay-Nonce" header field includes a server-generated value >> that the server can use to detect unauthorized replay in future >> client requests. The server MUST generate the value provided in >> Replay-Nonce in such a way that they are unique to each message, with >> high probability. For instance, it is acceptable to generate Replay- >> Nonces randomly. >> >> The value of the Replay-Nonce field MUST be an octet string encoded >> according to the base64url encoding described in Section 2 of >> [RFC7515]. Clients MUST ignore invalid Replay-Nonce values. The >> ABNF [RFC5234] for the Replay-Nonce header field follows: >> >> base64url = [A-Z] / [a-z] / [0-9] / "-" / "_" >> >> This is not correct ABNF. Change range syntax in Section 3.4 of RFC 5234 >> > > I've updated to try to fix this, but your review on the PR would be > appreciated. > > The correct form is (I didn't check if you usxe correct hex values): > > base64url = (%x40-5A) / (%x61-7A) / (%x30-39) / "-" / "_" > > (I.e., don't include "%x" after "-" and don't have spaces before or after > "-".) BTW, you can use "BAP"on tools.ietf.org to verify ABNF. > > > > >> Please add normative references for Retry-After and Link header fields. >> > > These already have normative references at their first appearance: > > https://tools.ietf.org/html/draft-ietf-acme-acme-14#section-6.5 > > Do you think those references are incorrect? > > > I was reading out of order, so this is fine. But a new nit: "header" --> > "header field". ("Header" is a collection of all HTTP header fields present > in a request or response). > > > > >> In 7.1.2: >> >> contact (optional, array of string): An array of URLs that the >> >> Which URI schemes are allowed (or at least expected) here? >> > > Basically, servers must support "mailto", and may support others; they can > specify their requirements in an error message. > > You don't mention "mailto:" till later and you don't even mention "tel:". > I appreciate that you don't want to have an exhaustive list here, but I > think you should still provide a bit more guidance. > > https://tools.ietf.org/html/draft-ietf-acme-acme-14#section-7.3 > > The WG discussed this and decided not to have more negotiation here. See, > e.g.: > > https://mailarchive.ietf.org/arch/msg/acme/TW8sbspUIGDGbIldaqWW0k9jKYo > > That is fine. > > > > >> (Similar text in other sections!) >> > > I don't see "sort order" anywhere else, or other relevant usage of > "order". Do you have other places in mind? > > This might have existed in earlier versions. I will double check. > > > > In 8.3: >> >> The server SHOULD follow redirects when dereferencing the URL. >> >> Why only a SHOULD? >> > > Some server operators wanted to have the option to require that the > validation work on the first request. > > > I think SHOULD basically makes redirects non interoperable. I think a bit > more text explaining why SHOULD or change this to MUST. Also, if there are > some security issues related to redirects, adding a pointer here would be > good. > > 9.6. URN Sub-namespace for ACME (urn:ietf:params:acme) >> >> Repository: URL-TBD >> >> Who needs to fix this value? >> > > There's a request to the RFC editor below. > > > Ok. > > > >> 9.7.1. Fields in Account Objects >> >> o Field type: The type of value to be provided, e.g., string, >> boolean, array of string >> >> Here and in all similar registries: I think you should insert "JSON" >> before >> "type" to make it clear that types are only restricted to JSON type >> choices. >> > > It's a JSON object. If you define a non-JSON type, you're gonna have a > bad time. > > > Maybe I am dealing with too much CBOR/CDDL recently, which allows for more > types. > > >
- [Acme] Alexey Melnikov's No Objection on draft-ie… Alexey Melnikov
- Re: [Acme] Alexey Melnikov's No Objection on draf… Richard Barnes
- Re: [Acme] Alexey Melnikov's No Objection on draf… Alexey Melnikov
- Re: [Acme] Alexey Melnikov's No Objection on draf… Daniel McCarney
- Re: [Acme] Alexey Melnikov's No Objection on draf… Richard Barnes
- Re: [Acme] Alexey Melnikov's No Objection on draf… Salz, Rich
- Re: [Acme] Alexey Melnikov's No Objection on draf… Richard Barnes
- Re: [Acme] Alexey Melnikov's No Objection on draf… Benjamin Kaduk
- Re: [Acme] Alexey Melnikov's No Objection on draf… Alan Doherty
- Re: [Acme] Alexey Melnikov's No Objection on draf… Manger, James
- Re: [Acme] Alexey Melnikov's No Objection on draf… Tim Hollebeek
- [Acme] FW: Alexey Melnikov's No Objection on draf… Tim Hollebeek
- Re: [Acme] Alexey Melnikov's No Objection on draf… Richard Barnes
- Re: [Acme] Alexey Melnikov's No Objection on draf… Corey Bonnell
- Re: [Acme] Alexey Melnikov's No Objection on draf… Richard Barnes
- [Acme] HTTP redirects in validation [Was: Re: FW:… Ilari Liusvaara
- Re: [Acme] HTTP redirects in validation [Was: Re:… Ryan Sleevi