Re: [Acme] WGLC for ACME DTN Node ID
Russ Housley <housley@vigilsec.com> Wed, 31 March 2021 20:44 UTC
Return-Path: <housley@vigilsec.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 180763A36B0 for <acme@ietfa.amsl.com>; Wed, 31 Mar 2021 13:44:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.895
X-Spam-Level:
X-Spam-Status: No, score=-1.895 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uT1YxtgaRx-q for <acme@ietfa.amsl.com>; Wed, 31 Mar 2021 13:44:37 -0700 (PDT)
Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CA29F3A36AF for <acme@ietf.org>; Wed, 31 Mar 2021 13:44:37 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id 1EE3C300BC1 for <acme@ietf.org>; Wed, 31 Mar 2021 16:44:35 -0400 (EDT)
X-Virus-Scanned: amavisd-new at mail.smeinc.net
Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id rB0Uv_-1T_1I for <acme@ietf.org>; Wed, 31 Mar 2021 16:44:32 -0400 (EDT)
Received: from [192.168.1.161] (pool-141-156-161-153.washdc.fios.verizon.net [141.156.161.153]) by mail.smeinc.net (Postfix) with ESMTPSA id B8592300474; Wed, 31 Mar 2021 16:44:32 -0400 (EDT)
From: Russ Housley <housley@vigilsec.com>
Message-Id: <454F869D-2A61-4411-A134-38AAE71A68F2@vigilsec.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_A537C929-708D-4939-B8F5-E8B72363BC0E"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.17\))
Date: Wed, 31 Mar 2021 16:44:32 -0400
In-Reply-To: <13D99104-A557-4D14-BC49-2F2F9391910E@gmail.com>
Cc: IETF ACME <acme@ietf.org>
To: Yoav Nir <ynir.ietf@gmail.com>
References: <13D99104-A557-4D14-BC49-2F2F9391910E@gmail.com>
X-Mailer: Apple Mail (2.3445.104.17)
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/Jz18YBHISsBSIOy2dYIX7g4IKq8>
Subject: Re: [Acme] WGLC for ACME DTN Node ID
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 31 Mar 2021 20:44:42 -0000
I think that this document is almost ready. I have a few comments.
MAJOR:
Section 4 points to Section 4.4.2 of [I-D.ietf-dtn-tcpclv4]; but that profile does not require the certificate to include an EKU of id-kp-bundleSecurity. When this document is used to verify control over the DTN Node ID, I think the issued certificate MUST include an EKU of id-kp-bundleSecurity. If other means are used to validate other identities, then other EKU values might be included as well.
Section 4.2 is talking about S/MIME certificates. I think there is a cut-and-paste error here.
MINOR:
Section 3.1 says: "The only over-the-wire data required by ACME for a Challenge Bundle is a nonce token ...". This is the first time that "nonce" appears in the document. Please reword.
Section 3.3 and 3.4: in the beginning of the section, please add a pointer to the document that defines these parameters. I think it is draft-ietf-dtn-bpbis.
Section 6.1: please provide a reference for "BPSEC key material", and please spell out "BCB".
NITS:
Section 1: please spell out BP on first use.
Section 2: s/wildcard ("*") character/wildcard character ("*")/
Section 6.2: please spell out "BIB".
Russ
> On Mar 31, 2021, at 3:50 PM, Yoav Nir <ynir.ietf@gmail.com> wrote:
>
> Hi.
>
> This starts a WGLC for the subject draft entitled “Automated Certificate Management Environment (ACME) Delay-Tolerant Networking (DTN) Node ID Validation Extension”. The call will end at EOD Monday, April 19th, 2001.
>
> The document has been with the WG since last August, and has received too little review. ACME participants are encouraged to read and review, so that we can make changes if such are needed, and progress the document for publication.
>
> Linsk:
> Datatracker: https://datatracker.ietf.org/doc/draft-ietf-acme-dtnnodeid/ <https://datatracker.ietf.org/doc/draft-ietf-acme-dtnnodeid/>
> Plain text: https://www.ietf.org/archive/id/draft-ietf-acme-dtnnodeid-01.txt <https://www.ietf.org/archive/id/draft-ietf-acme-dtnnodeid-01.txt>
> HTML: https://www.ietf.org/archive/id/draft-ietf-acme-dtnnodeid-01.html <https://www.ietf.org/archive/id/draft-ietf-acme-dtnnodeid-01.html>
> PDF: https://tools.ietf.org/pdf/draft-ietf-acme-dtnnodeid-01.pdf <https://tools.ietf.org/pdf/draft-ietf-acme-dtnnodeid-01.pdf>
>
> Thanks in advance
>
> Yoav
> _______________________________________________
> Acme mailing list
> Acme@ietf.org
> https://www.ietf.org/mailman/listinfo/acme
- [Acme] WGLC for ACME DTN Node ID Yoav Nir
- Re: [Acme] WGLC for ACME DTN Node ID Russ Housley
- Re: [Acme] WGLC for ACME DTN Node ID Ryan Sleevi
- Re: [Acme] WGLC for ACME DTN Node ID Brian Sipos
- Re: [Acme] WGLC for ACME DTN Node ID Russ Housley
- Re: [Acme] WGLC for ACME DTN Node ID Brian Sipos
- Re: [Acme] WGLC for ACME DTN Node ID Benjamin Kaduk
- Re: [Acme] WGLC for ACME DTN Node ID Brian Sipos
- Re: [Acme] WGLC for ACME DTN Node ID Yoav Nir
- Re: [Acme] WGLC for ACME DTN Node ID Brian Sipos