Re: [Acme] AD Review: draft-ietf-acme-star-delegation-04

Thomas Fossati <Thomas.Fossati@arm.com> Mon, 08 March 2021 13:13 UTC

Return-Path: <Thomas.Fossati@arm.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 94DD43A29B7 for <acme@ietfa.amsl.com>; Mon, 8 Mar 2021 05:13:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=F9SutASc; dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=F9SutASc
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sk8oQtsP6nh9 for <acme@ietfa.amsl.com>; Mon, 8 Mar 2021 05:13:20 -0800 (PST)
Received: from EUR02-AM5-obe.outbound.protection.outlook.com (mail-eopbgr00075.outbound.protection.outlook.com [40.107.0.75]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7CBEE3A29B5 for <acme@ietf.org>; Mon, 8 Mar 2021 05:13:20 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=NrhQIeNwjlabMjZeyhzasGIVXd6/2SzWiEF9WGTwnng=; b=F9SutAScndJJaOT0VFuJxAC8NamJ4AaXTvIpd3kTCfZQhP2xwuPoMG3zeQ1zj2tz87Ci91cI10MXlPiPj3X6yc13sZr/PQ6IdbA0Umq78Uk8DyloRCrQfaw9iEi/A3djmdTkeGMMmXEzhAZkXdQoXsOsMQI571qM7bpq4yGMdp4=
Received: from AS8PR04CA0063.eurprd04.prod.outlook.com (2603:10a6:20b:313::8) by DB8PR08MB4105.eurprd08.prod.outlook.com (2603:10a6:10:b0::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3912.19; Mon, 8 Mar 2021 13:13:16 +0000
Received: from AM5EUR03FT009.eop-EUR03.prod.protection.outlook.com (2603:10a6:20b:313:cafe::1) by AS8PR04CA0063.outlook.office365.com (2603:10a6:20b:313::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3912.17 via Frontend Transport; Mon, 8 Mar 2021 13:13:16 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; ietf.org; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;ietf.org; dmarc=pass action=none header.from=arm.com;
Received-SPF: Pass (protection.outlook.com: domain of arm.com designates 63.35.35.123 as permitted sender) receiver=protection.outlook.com; client-ip=63.35.35.123; helo=64aa7808-outbound-1.mta.getcheckrecipient.com;
Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by AM5EUR03FT009.mail.protection.outlook.com (10.152.16.110) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3912.17 via Frontend Transport; Mon, 8 Mar 2021 13:13:16 +0000
Received: ("Tessian outbound 155e15b2e217:v71"); Mon, 08 Mar 2021 13:13:15 +0000
X-CheckRecipientChecked: true
X-CR-MTA-CID: 8e0794f631890296
X-CR-MTA-TID: 64aa7808
Received: from 8e0273e1b676.2 by 64aa7808-outbound-1.mta.getcheckrecipient.com id 69AE0E11-3672-403B-B39D-5EA337E8F330.1; Mon, 08 Mar 2021 13:13:10 +0000
Received: from EUR04-VI1-obe.outbound.protection.outlook.com by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id 8e0273e1b676.2 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Mon, 08 Mar 2021 13:13:10 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=mscAXWiNprRfX8Yi0WX/EOpnSJsYFamORoht6YVLe/BROqO1/k55ZGq9zGG4dR9qozmvK+o715rI0Tpb8y6Dk325PvGBJJrL1C1D2wcz+EjMH+iEJaOKrFx0itrkoCfh2mqlFmq2nBaLMgRZmpZrV9gE1qZBR0F7xEIdvSG61vx6ItTqt5sq1kK1ZYNt06YKiYQmAfbAs3fe39BY0M0j7O5jI8G8ZaMzWlNmuDmfPLcW3DZYVWjngRdz9C4zIBCZ74kT0o82HY8u4eZj7XVylkLeTGeA8LWqMAVU2s3aCbqHoqB/xPNoCJU6Bww6fAdgfXiTqYwfusM7kozkhvQ+TQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=NrhQIeNwjlabMjZeyhzasGIVXd6/2SzWiEF9WGTwnng=; b=O9vXbn71ok0Q0lml4m77hDOHIqZeKi/IFGB/84BwOweWg5OwHuOpeH7K6EBB0UwKYWQbjv/Gj2AgH8jkW4/EO5/O6Udt0nJp08T1f59PAW4VLPDxegutJhxySssDOU7UuF5sV3Vl6rocldfXhGF7iBrz1SDYk2M/75IkJqrviC2rqN3yj8aBNud6Sh7so59wmPAIeHmRYhLctOuhD45efKqvpszPrKRJxsapWrHjwN7HFq/IcYHcTyvLFL4Ro21iVFiIE4K8BAArGjO0+J4Wwi1jHqxeWiar18hfiCdK6XHQ8H8yzPpqdm8E1SVAo8u3KVn/qs0lW+XzLgHkTVRThQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=NrhQIeNwjlabMjZeyhzasGIVXd6/2SzWiEF9WGTwnng=; b=F9SutAScndJJaOT0VFuJxAC8NamJ4AaXTvIpd3kTCfZQhP2xwuPoMG3zeQ1zj2tz87Ci91cI10MXlPiPj3X6yc13sZr/PQ6IdbA0Umq78Uk8DyloRCrQfaw9iEi/A3djmdTkeGMMmXEzhAZkXdQoXsOsMQI571qM7bpq4yGMdp4=
Received: from DB9PR08MB6524.eurprd08.prod.outlook.com (2603:10a6:10:251::8) by DB6PR0802MB2502.eurprd08.prod.outlook.com (2603:10a6:4:a0::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3890.28; Mon, 8 Mar 2021 13:13:07 +0000
Received: from DB9PR08MB6524.eurprd08.prod.outlook.com ([fe80::1f5:375c:310f:7df5]) by DB9PR08MB6524.eurprd08.prod.outlook.com ([fe80::1f5:375c:310f:7df5%4]) with mapi id 15.20.3890.038; Mon, 8 Mar 2021 13:13:06 +0000
From: Thomas Fossati <Thomas.Fossati@arm.com>
To: Roman Danyliw <rdd@cert.org>, Yaron Sheffer <yaronf.ietf@gmail.com>, IETF ACME <acme@ietf.org>
CC: Thomas Fossati <Thomas.Fossati@arm.com>
Thread-Topic: [Acme] AD Review: draft-ietf-acme-star-delegation-04
Thread-Index: Adb7Rh0lkRNAgi4VQP6kSm1bN0WrcAAymb0AA3w0jYAALUlngAAAahiAAlhZiQAAAM8gAA==
Date: Mon, 08 Mar 2021 13:13:06 +0000
Message-ID: <85768624-6735-44DA-9105-57ADF0813E71@arm.com>
References: <5b94cd8f4c4944838936589cea70bd62@cert.org> <B85D7793-E228-4B95-B8DF-FD46F71F4F1C@intuit.com> <404f7522d37b41ecabb854bee42dc333@cert.org> <9D628EB5-401E-4FCD-8BBC-3FB967FB4102@gmail.com> <b4307f5c6d3e495785ae1051f3927207@cert.org> <5a3891a7fbad4d51addbbf9f6ba68727@cert.org>
In-Reply-To: <5a3891a7fbad4d51addbbf9f6ba68727@cert.org>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.46.21021202
Authentication-Results-Original: cert.org; dkim=none (message not signed) header.d=none;cert.org; dmarc=none action=none header.from=arm.com;
x-originating-ip: [82.12.10.179]
x-ms-publictraffictype: Email
X-MS-Office365-Filtering-HT: Tenant
X-MS-Office365-Filtering-Correlation-Id: cdd3ef83-4a07-44d8-db92-08d8e233ef6f
x-ms-traffictypediagnostic: DB6PR0802MB2502:|DB8PR08MB4105:
x-ms-exchange-transport-forked: True
X-Microsoft-Antispam-PRVS: <DB8PR08MB41050AC3111FF7312A5644039C939@DB8PR08MB4105.eurprd08.prod.outlook.com>
x-checkrecipientrouted: true
nodisclaimer: true
x-ms-oob-tlc-oobclassifiers: OLM:10000;OLM:10000;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: GcWj94vuZ2DglXfW73+RENiATS7NNoWxjGeFDdQpTu9ka/g/taWQft9A8pR27us2EFMS5UBtwbU+aK+SeuiUSFxnaMgWnKp1Dy1T5Mz16zFtO6s9I9EIhNYmbVPCn6vgADNGFBXC8xEFtLlGlVYC1ZqySUxsQ6VI4iYZNQsmk2RbH4KsEd+4SgOe2/oXY2NYu53BuBTqTlMhxaazt07i2jfftMhT98RVd5rtbSH0tL3kCY8x7A6/Y1VIwDbZpJNy3mg1xCBq5/EdSey9FSu4whbW1QNUnMSGULVuP1Vwnkbom78evk9FIOCdlnQ94ZvogcMRsvSXp+nHTC5vgVJLoiFGWe7EyHyu2OI2zHWZFZ1Hrag/Ku6YN1/kYZaqMnz3qzDcsS8TXRFkS8HG4Ftr3F16zCxvmjxgPHhwsbFLeWKnUsE2fwoRdGodgJjN8oHpkB6MtJCuiMeAYp5hWaMFHKkRRm6zLWaR6RsY6cV/ZyY6L3N6xdXJd6uJBb5GyBOryX/fkmV2WPQAXr9lYd4skOOlRjyut2Ks2Ub+H72afRD/iW9llJ32TZimdIQm7jlLUgmxGBMD8IOrylWXFo5uCfDmGhofOap7r2g86MGM0zngz1zvWwgHthECYUMF91q6GPAWMgOiEXMv1pphb0LlZkMtbB2oQA/TL1lySd2D4jg=
X-Forefront-Antispam-Report-Untrusted: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DB9PR08MB6524.eurprd08.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(346002)(366004)(396003)(376002)(136003)(39860400002)(86362001)(33656002)(6506007)(186003)(6486002)(53546011)(66476007)(2616005)(66946007)(76116006)(66556008)(91956017)(66446008)(966005)(316002)(5660300002)(8936002)(36756003)(26005)(110136005)(64756008)(71200400001)(6512007)(4326008)(2906002)(478600001)(8676002)(83380400001)(45980500001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: YGE2ZUz4yAxPiDqkGIGMdEu7dYGEQBmvlvZyHOxSN+sMBj2EFVIvAsuXPUc1pSHmy7yywKoR84HdSwk+eUbgyw9515n2B3hDLJvaCtlk/gLi3eODFY2yHPR2iK7OOa/rnM3Q7A+f3lLQ+LNibx6xSP19JjJvWprGaaSCfuE/0ail8ri7kgUn+Ij1nIfHonK70xHsxqHF03mHpU8ZnEDIlkrdCtKR2/gp+1Fjlvv8uA5Lfntov8ez4ik07ZLAVg7m/VF+qmJcV7RXuuLX4IvGzAbezPdOwKtIcx/9MYEpvZz7qP3EheMuuTBMCn89GoegASkonq8HvdxOStwHQlGQ4pwlPYYQ0G/UTXRdN5YzuJfbRMCIg6fQYiUxoXGa4h+1sbBR4ZB7BZ6vL/qZeVY5OMQLUfe83KyTc2SAxQ5gDf82PKYuEA/j8zr4EkKXKKdQ6ctu3pScypBkghNDYcyz7slbIhXgvYbYiEaj3+QgvS3+RerycB0mrH335HFSABTR9PDggGVSVgaosVWE9FvdF+JINNoymB5j8zafCBGKkjohlqsfyAxZHu7q172kTNKS0v2Uxwb4xP26ngokZz9mBcgmyahWeK8KH5PaNY2ZhynNCQQ+abK93frx4SdQxxLOXcgbNNFOayGVRsPV9vhDdls2w8isTXzqcQ4/Xzm/pOEiNYOlnytTC8EWHPo4/f3D6zkgrgxPp3SxiGdrM8NlClxeC4IR3xFG5necb1tJ3RWWxjlZdkQenmwJQUVPdFQzqDY5bzsMubCAHHV9DN2ZBJRL56ZUdpE5uCrx8sEJm3XZOUdLyLc7ysA35dMYwXslOoh/2621XOen8C090kDR/Ycvx0A1lrx5Rr3DRBZGTUf6vuh81SlgqTetrG7aP3F8M3jgzeHecMMSU8Z5n97HeY+2QhrDKHQ+lCGczmf5BbVNTwTxEUdkvnsxQ4fXwuGL4aFSxBaRt0FpCoQYDIJYbqwYZBzEddI9O6ZZC1H7nCldid+loVa8CJcqJAtwqr8LGKasuiBL3Gph/dhmKNE+haSqE01oUm8eAzQ2777sZW6gNrVJoUt5s1dSzVFaPl8FtQC6Q2napfJIIvoKPw9W27ff124YLAUGRnFQEcdYTF/hJDEjzm5wm9jJOP5bBTjhiR+jxdaJTCrvKlnQ4OTSfbZNQFBET6az7PCf2g2Lb0HbBHMiusmA3UcjNN+KJeJTevlOe2Irh55HpVEOEU9Nt8IEv+mzmqwx9YU+4qgTjObiSgyzWcjgBlMVSD4kMJkbahuFW5t5j2GZ/q3qQCtGZA3ruHmg/u9iFlDWAbO6zHinmz4cVzSGYvL8OlbKMdoC
Content-Type: text/plain; charset="utf-8"
Content-ID: <4CD4B8F191AA7C4491D6BEEB76673843@eurprd08.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB6PR0802MB2502
Original-Authentication-Results: cert.org; dkim=none (message not signed) header.d=none;cert.org; dmarc=none action=none header.from=arm.com;
X-EOPAttributedMessage: 0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: AM5EUR03FT009.eop-EUR03.prod.protection.outlook.com
X-MS-Office365-Filtering-Correlation-Id-Prvs: aa8ccb7b-3777-4ea1-d877-08d8e233e9e8
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: r8ApMmDW182OQhjfjByjALTbr+YKG0TEWB0KqPzzeHYCNc/4Dcce5o8iJUMozwkuKoI2a8pZ10ySW3kPmZRoJ4PTpPHK7NeDSpjkvQeM4kGpVMTWlV0HHT46/PR1jeK5hYWxKlv0xx5CCHIQlHn4BEtSAB2zUsQB+qH5WDzKxnaNuExii7tEiNdclJ1ghAOBax5EpXZeivdCOV6nScm6BkJp10Z7VIV9QOqF6CH/OueqFdkkitf6Sn04y8tC2b4vdfuF7dTNUWV1U8rTm9pPWqKZwvGRz+H/zKhhuQ/OFERd1QglWqjqZtlARWAlmNWFW7APDBP8VysDpz+l2QmY8+DqoIFralKVLJSEG2u2F66ScmlSxy9+mmV8l4NDFCu2zHRF4C2uzJNZpgWCWEjXpLWUAIAVjbhXRoSyoFN4ubIyRNXo86JzF1XLkiLmPhq0tJyHNKoAwwzfegtRjJ7nPdX2C2nCaRe69Rhc9trqQJmPgGcmHcPZtlvEJVKu1xpBJj/brocZbvHFJD6vWBxFhm32GhRR2xV78Nk5qWgjLlwr5NzbWgyJvUNTW7rDxCXW/Ar8+BrARx1GDqmPAU0ctVfRYmNAptknRKcgdVSRkUh3DUl1pTFGOWl1gBw/cmUV2/edVylADeOx3ZpQw5T+RR3AqNmGCOiiuTLJEu4RnU2c2+CAc5RGqd8MuC9f2Gy5AXrl8idBF+Pb6LkwTbXJA4ZCVDqrSr5kkcEmunaMND8=
X-Forefront-Antispam-Report: CIP:63.35.35.123; CTRY:IE; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:64aa7808-outbound-1.mta.getcheckrecipient.com; PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com; CAT:NONE; SFS:(4636009)(39860400002)(136003)(396003)(346002)(376002)(46966006)(36840700001)(2906002)(6506007)(4326008)(36860700001)(110136005)(53546011)(33656002)(186003)(26005)(36756003)(6486002)(8676002)(81166007)(356005)(82740400003)(82310400003)(47076005)(8936002)(2616005)(478600001)(336012)(6512007)(70586007)(70206006)(316002)(83380400001)(86362001)(5660300002)(966005); DIR:OUT; SFP:1101;
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 08 Mar 2021 13:13:16.0576 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: cdd3ef83-4a07-44d8-db92-08d8e233ef6f
X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d; Ip=[63.35.35.123]; Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com]
X-MS-Exchange-CrossTenant-AuthSource: AM5EUR03FT009.eop-EUR03.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB8PR08MB4105
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/IVxSGzSRm-hULnU24WI8OIDqTJw>
Subject: Re: [Acme] AD Review: draft-ietf-acme-star-delegation-04
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Mar 2021 13:13:24 -0000

Hi Roman,

On 08/03/2021, 12:50, "Roman Danyliw" <rdd@cert.org> wrote:
> Thanks for adding the new CDDL schema and clean-up to the JSON schema.
> This resolves all of my feedback from AD review.  I will advance the
> document to IETF LC.

Thank you!

> One question I have in the -06 to -07 changes is why the use of IP
> addresses was dropped for subjectAltName in the CSR template (the
> addition of URI makes sense).

For the full context of where this choice originated, see:

https://github.com/yaronf/I-D/pull/132#discussion_r584316393

Note that we added an explicit extension point to the subjectAltName
Type (subjectaltname-extension) where, if needed, IPs could be added
back by a future spec:

$$subjectaltname-extension //= (
  ? IP: [ 1* regtext ]
)

cheers, t






IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.