[Acme] Re: Éric Vyncke's Discuss on draft-ietf-acme-ari-07: (with DISCUSS and COMMENT)
Yoav Nir <ynir.ietf@gmail.com> Wed, 08 January 2025 17:25 UTC
Return-Path: <ynir.ietf@gmail.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B4CB8C169412; Wed, 8 Jan 2025 09:25:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.103
X-Spam-Level:
X-Spam-Status: No, score=-2.103 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KGUcp8wahCl5; Wed, 8 Jan 2025 09:25:39 -0800 (PST)
Received: from mail-wm1-x32a.google.com (mail-wm1-x32a.google.com [IPv6:2a00:1450:4864:20::32a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D3463C15199D; Wed, 8 Jan 2025 09:25:38 -0800 (PST)
Received: by mail-wm1-x32a.google.com with SMTP id 5b1f17b1804b1-436381876e2so121115e9.1; Wed, 08 Jan 2025 09:25:38 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1736357137; x=1736961937; darn=ietf.org; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:from:to:cc:subject:date:message-id:reply-to; bh=ZLmNqNzcINfgM1GNEPtm0AhQrwYrWf2jLHXh3Akm8lU=; b=NG4vtR7VpcbWbd5BlLF/5MiwknvIrwT9Ka5vzJU4vqqqiV8Vkeq0IXb7KdKfFLMFz1 /iCa1VmNgtnM9K6u6z0t67uZHJnaROOe23jtYgPzYIR88oD0Q8y06Vch4VZiWiKfdl1j R6B7CGeKJCmqS0x162GOhYIDItXx44hNoQiBEC44+6fsObO2PNINPMmdqv/nN/zYwgwT B6dFCa+WRkBkoLJ3gWuu61byPnYfFc9JeKEmYCsAxnYRhElWm1vP5N7QzjkLx8dPNR+2 A6nzvXlhM1Nv/p94UMi+aoly5mNLZP4kzTp5BIiBfetJXdTQEMvaU6wxMOuYd/SeEaL5 UAMw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1736357137; x=1736961937; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=ZLmNqNzcINfgM1GNEPtm0AhQrwYrWf2jLHXh3Akm8lU=; b=Kgj2Aaf3L0C9MdmEt/kJU3mHawFfQimgUBnzNutZQM43SaWQ6dp7wWwyBHi6burFWw 5efdXcNQ6MhYMn4IsIhQ+kLAwBPlV/k1+mWBjX6d7Grk2YDcipx2ILUqDpgbd3dnWOp2 k0nviPHpBYzXaHKO3fYO+ox5ELBmwhCLNq4vzRby7s3ng3ogJG/xuvi+dyiSW5ON+NSH yimEECz0OdSl0zXwsWbgbVQs032dsozwvRx0vYXXdW5gfTbnP+cMjw2Rvcuw6MvrMo4n 5uf6wIkSgLKBwYrraIyuhAANXs/klwc9E67wtXPsNZjbAF8/MATlj36X8Q38Tv0y8KZf lKZQ==
X-Forwarded-Encrypted: i=1; AJvYcCVJZdtz2d0NquNRvFbxlwW1sKmqpKhIaMS63Qrf8Lto0AjGbmGJtrv7WrxpqU8O6iTjfNYtMa4tWsPkXlRzfTAcbSO9YA==@ietf.org, AJvYcCWVG/Z9br4TvpNlzi89hEmsEWfv+uWXz1bLvVUqcJVeLndZ3vp9IWu5PHnyQuPFCNfYwygrg0O1R7UerQ==@ietf.org, AJvYcCWf4fx+bPDWeSS96CUPAHrNbRJGIVfljaoTx3DKgFUFQnu8EBWsmyHXRhRbhaRgppEDeyPUvQ==@ietf.org
X-Gm-Message-State: AOJu0YyU8LjLrFG7T+q3kZlxq2Ir6p0P8uEWCKXXDBTqSSIWDWVFnC6S mh5WHU2ZvCTjlR4FNO3Qh5Uxxxxn9NdRYpCd4hRd3uSqTpjDWn6q
X-Gm-Gg: ASbGncu1v28O1rjaqMwMToSy/PJW0+eEKh4nkSlUUda0fOxcqAR9p//PBPvX6wGR2Ad XgNJm3i5R4MdTI+p0kUgGdby4Me4ClDeLLTMoSPlKSxTy5Dn2yRy8SI5O5wkIO/fR8bXiiemhcW 7zZ+wEANGoQo4JYtS7XovIKNS+2RFZP+aEgZc9qhWRNeMhsndf199EIjNYgR1294mt4pi/oWdUp prEKlH6LyXalw4aXwq84Lh01u8PKQ0HzzMVE6M5SbNbtsoopTm869uSTZ8Wur5yD7KgZgTz2Yy6 CihiZQ==
X-Google-Smtp-Source: AGHT+IH9pT3152rbTrkAWVLeiKGqtW6GyxhnoCc71T/wkJRHJxm6z30gZQtBEuecUbjXuDsieszCbQ==
X-Received: by 2002:a05:600c:4f03:b0:436:1ada:944d with SMTP id 5b1f17b1804b1-436e26ff7famr13671205e9.4.1736357136809; Wed, 08 Jan 2025 09:25:36 -0800 (PST)
Received: from smtpclient.apple ([2a0d:6fc0:b46:c500:1987:8c2:e98f:91b8]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-436e2e8a326sm27627795e9.35.2025.01.08.09.25.35 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 08 Jan 2025 09:25:36 -0800 (PST)
From: Yoav Nir <ynir.ietf@gmail.com>
Message-Id: <13461436-7371-4E32-B82B-2FD420A0A9DE@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_4DBAE50B-A38C-47A6-BCD7-C03C18A00A88"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3826.200.121\))
Date: Wed, 08 Jan 2025 19:25:25 +0200
In-Reply-To: <PH0PR11MB496609BA26DF1A6F0E42D492A9122@PH0PR11MB4966.namprd11.prod.outlook.com>
To: "Eric Vyncke (evyncke)" <evyncke@cisco.com>
References: <173582578043.1337926.7131929326359844535@dt-datatracker-65f549669d-2xld9> <592F4D02-F291-4CC0-A61C-E48F33A03529@gmail.com> <PH0PR11MB496609BA26DF1A6F0E42D492A9122@PH0PR11MB4966.namprd11.prod.outlook.com>
X-Mailer: Apple Mail (2.3826.200.121)
Message-ID-Hash: AOX3CR7G4OU2SR6QEWSCGC6OQKTNEKJN
X-Message-ID-Hash: AOX3CR7G4OU2SR6QEWSCGC6OQKTNEKJN
X-MailFrom: ynir.ietf@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-acme.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: The IESG <iesg@ietf.org>, "draft-ietf-acme-ari@ietf.org" <draft-ietf-acme-ari@ietf.org>, "<acme-chairs@ietf. org>" <acme-chairs@ietf.org>, "acme@ietf.org" <acme@ietf.org>, "gih@apnic.net" <gih@apnic.net>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [Acme] Re: Éric Vyncke's Discuss on draft-ietf-acme-ari-07: (with DISCUSS and COMMENT)
List-Id: Automated Certificate Management Environment <acme.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/IcuglbaVK-5ITWmEUZnE0ZFz-P0>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Owner: <mailto:acme-owner@ietf.org>
List-Post: <mailto:acme@ietf.org>
List-Subscribe: <mailto:acme-join@ietf.org>
List-Unsubscribe: <mailto:acme-leave@ietf.org>
Hi I agree and have just updated the shepherd write-up. Late, perhaps, but better than never. Yoav > On 8 Jan 2025, at 8:42, Eric Vyncke (evyncke) <evyncke@cisco.com> wrote: > > Yoav, > > Thanks for your reply, I agree with your reasoning, but it should have been in the shepherd’s write-up to enlighten the ADs when doing their review ;-) (I prefer to read a statement rather than making a guess). > > Regards > > -éric > > From: Yoav Nir <ynir.ietf@gmail.com> > Date: Wednesday, 8 January 2025 at 05:15 > To: Eric Vyncke (evyncke) <evyncke@cisco.com> > Cc: The IESG <iesg@ietf.org>, draft-ietf-acme-ari@ietf.org <draft-ietf-acme-ari@ietf.org>, <acme-chairs@ietf.org>, acme@ietf.org <acme@ietf.org>, gih@apnic.net <gih@apnic.net> > Subject: Re: Éric Vyncke's Discuss on draft-ietf-acme-ari-07: (with DISCUSS and COMMENT) > > Hi, Éric. > > Thanks for the review. As to your coment, ARI is an extension to RFC 8555 which is standards track. There are also some implementations for it, so “Proposed Standard” is, in my opinion, the right status. It’s too mature for “Experimental”. > > Hope this helps > > Yoav > > > On 2 Jan 2025, at 15:49, Éric Vyncke via Datatracker <noreply@ietf.org> wrote: > > > > Éric Vyncke has entered the following ballot position for > > draft-ietf-acme-ari-07: Discuss > > > > When responding, please keep the subject line intact and reply to all > > email addresses included in the To and CC lines. (Feel free to cut this > > introductory paragraph, however.) > > > > > > Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ > > for more information about how to handle DISCUSS and COMMENT positions. > > > > > > The document, along with other ballot positions, can be found here: > > https://datatracker.ietf.org/doc/draft-ietf-acme-ari/ > > > > > > > > ---------------------------------------------------------------------- > > DISCUSS: > > ---------------------------------------------------------------------- > > > > > > # Éric Vyncke, INT AD, comments for draft-ietf-acme-ari-07 > > CC @evyncke > > > > Thank you for the work put into this document. I can easily imagine that it is > > really useful. > > > > Please find below one blocking DISCUSS points (easy to address), some > > non-blocking COMMENT points (but replies would be appreciated even if only for > > my own education), and some nits. > > > > Special thanks to Yoav Nir for the shepherd's detailed write-up including the > > WG consensus ***but it lacks*** the justification of the intended status. > > > > Other thanks to Carlos Bernardos, the Internet directorate reviewer (at my > > request), thanks for having considered his int-dir review: > > https://datatracker.ietf.org/doc/review-ietf-acme-ari-07-dnsdir-telechat-huston-2024-12-15/ > > https://datatracker.ietf.org/doc/review-ietf-acme-ari-06-dnsdir-lc-huston-2024-11-23/ > > > > I hope that this review helps to improve the document, > > > > Regards, > > > > -éric > > > > ## DISCUSS (blocking) > > > > As noted in https://www.ietf.org/blog/handling-iesg-ballot-positions/, a > > DISCUSS ballot is just a request to have a discussion on the following topics: > > > > ### Section 4.1 > > > > I think that the example is wrong for HTTP request, rather than > > ``` > > GET https://example.com/acme/renewal-info/ > > aYhba4dGQEHhs3uEe6CuLN4ByNQ.AIdlQyE > > ``` > > it should probably be > > " > > GET /acme/renewal-info/ > > aYhba4dGQEHhs3uEe6CuLN4ByNQ.AIdlQyE > > Host: example.com > > " > > > > Also in this section, should the note about prefixing a "00" when the serial > > number is a negative number be more than a simple note but normative ? Or if > > this is per default in ACME, adding a reference ? > > > > > > ---------------------------------------------------------------------- > > COMMENT: > > ---------------------------------------------------------------------- > > > > > > ## COMMENTS (non-blocking) > > > > ### Lack of HTTP-dir reviews > > > > I can only regret that there was no HTTP directorate review for this document > > as one of my DISCUSS and one of my COMMENT are related to HTTP. > > > > ### url should be in uppercase > > > > I have detected some "url" that should be "URL" as it is an acronym. > > > > ### Section 4.2 > > > > Is the first `Conforming clients SHOULD provide this URL to their operator` > > correct ? I would assume that this JSON reply is sent by the ACME server and > > not by the client. > > > > Is the `Retry-After` the most suitable HTTP header ? I.e., while RFC 9110 > > section 10.2.3 is not really specific, [Mozilla > > spec](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Retry-After) > > seems to indicate that it is not appropriate for a 200 response code. As I am > > not an HTTP expert, I am ready to be corrected of course but I would think that > > using a new key in the returned object would be neater. > > > > ## NITS (non-blocking / cosmetic) > > > > ### Appendix A > > > > It seems that the year of this certificate is 0000, was it the intent ? > > > > ### Section 4.2 > > Suggest to use a more recent date (rather than 2021) in the example. > > > > > > >
- [Acme] Éric Vyncke's Discuss on draft-ietf-acme-a… Éric Vyncke via Datatracker
- [Acme] Re: Éric Vyncke's Discuss on draft-ietf-ac… Yoav Nir
- [Acme] Re: Éric Vyncke's Discuss on draft-ietf-ac… Eric Vyncke (evyncke)
- [Acme] Re: Éric Vyncke's Discuss on draft-ietf-ac… Yoav Nir
- [Acme] Re: Éric Vyncke's Discuss on draft-ietf-ac… Zaheduzzaman Sarker
- [Acme] Re: Éric Vyncke's Discuss on draft-ietf-ac… Aaron Gable
- [Acme] Re: Éric Vyncke's Discuss on draft-ietf-ac… Eric Vyncke (evyncke)