[Acme] Re: Éric Vyncke's Discuss on draft-ietf-acme-ari-07: (with DISCUSS and COMMENT)
Aaron Gable <aaron@letsencrypt.org> Wed, 26 February 2025 21:50 UTC
Return-Path: <aaron@letsencrypt.org>
X-Original-To: acme@mail2.ietf.org
Delivered-To: acme@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 0F61D24AC03 for <acme@mail2.ietf.org>; Wed, 26 Feb 2025 13:50:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.539
X-Spam-Level:
X-Spam-Status: No, score=-2.539 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.442, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: mail2.ietfa.org (amavisd-new); dkim=pass (1024-bit key) header.d=letsencrypt.org
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietfa.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eNXtSP0faFam for <acme@mail2.ietf.org>; Wed, 26 Feb 2025 13:50:51 -0800 (PST)
Received: from mail-pj1-x102e.google.com (mail-pj1-x102e.google.com [IPv6:2607:f8b0:4864:20::102e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id AC52624A80F for <acme@ietf.org>; Wed, 26 Feb 2025 13:49:59 -0800 (PST)
Received: by mail-pj1-x102e.google.com with SMTP id 98e67ed59e1d1-2fe848040b1so611010a91.3 for <acme@ietf.org>; Wed, 26 Feb 2025 13:49:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=letsencrypt.org; s=google; t=1740606599; x=1741211399; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=sW/WsYK2SejcvBm07AQTCAM9Z9+ZCwi0gmbk+L/3Myg=; b=E6ODLoS6ANJIb96nLOY72EivqUSFSKbI9JWiLvmCOnA76qyQLi2IvG0kcUE0tf09TF O8gx5jjwlcTcnXGxnWoKvpIule//kxY0OCRfUtBcYGkhvSTPudOcZnK4VnbLqX3p5UHu OQb5AJmSIwvhQz6n/a3vtfLVmS2VwUzt3tOTQ=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1740606599; x=1741211399; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=sW/WsYK2SejcvBm07AQTCAM9Z9+ZCwi0gmbk+L/3Myg=; b=xJQINT/7NJV8iKORfWQzeHrLDXKSbeYCAdqaVYnP7BHwS+jjogkoQclkvRp+DdrCXE 7Zq6iq1UQr+cF5aA+Bl5wMw0mqc5xekyPQF7UYZ2gA1A0r4TamaaMPMGnzqgVOUibQrY GCtU1wmKuWFLBOB7pTIHOds93UuP4tjn885J9ZNKyesjSEZGG6BZa2QS6J9o8rj6AAaE hjHiQR0am0ebDDbo/qBnjgLIB5W11NDpJVy9Y1i44btfSNv07nITWtbL5doOZEkbgD/C 5Xt9MOhqcjlncHwSHZ93SWm9npnD6+u4EhYCmmrWyQCOMUPEOGYOR/MAwN+D4IzIYQNY xSbg==
X-Forwarded-Encrypted: i=1; AJvYcCUShsqtnPFn4ImAF2EBiZmRhNj1wFBsbQAUeVgSKe/NLO5uFa27g+OiTqnIxe+fFZ+x2/k8@ietf.org
X-Gm-Message-State: AOJu0YzoCVw/gUHwNtnxU3YTUZNMd+VI2a4S2F0IP6bdVF14we7tbg1O 9Q1t1nXAzqMet6F8fA5bQxm2qURrHrGUqlKYFbzsrsRH4OMdKciVcsKlwxK/f2ascu6NWEtOXYZ dpaweQleE5+h7KwjBKmXMuAl3Wi8RAXRkCWjpBw==
X-Gm-Gg: ASbGncveWDZbAaoUNYkjc8SIFwYwdMbSdDFs2F5iObU4ggdO80XsZVrrsU7c52LZCA5 +nIqjbKZoUyzD9oXGWwl5/wyYdETG+m6RuzmfxUO8IUNc0AZ8QUHzrIhlYiE6sunY1dCdyEU5Rg URKH6tqw32
X-Google-Smtp-Source: AGHT+IGOVmLgn/hTs0BuBUhBBVhzIFkHcIWi09WEXHic8+pufu5iVvOqisUlHYH0hRxPWpYdZ6gT4ofhiSqhIPb7KXQ=
X-Received: by 2002:a17:90b:2ccd:b0:2ee:b26c:10a0 with SMTP id 98e67ed59e1d1-2fce8724390mr38642745a91.24.1740606598782; Wed, 26 Feb 2025 13:49:58 -0800 (PST)
MIME-Version: 1.0
References: <173582578043.1337926.7131929326359844535@dt-datatracker-65f549669d-2xld9>
In-Reply-To: <173582578043.1337926.7131929326359844535@dt-datatracker-65f549669d-2xld9>
From: Aaron Gable <aaron@letsencrypt.org>
Date: Wed, 26 Feb 2025 13:49:47 -0800
X-Gm-Features: AQ5f1Jr4CyLfDEq3bBhzQwfWm9aVf9dDEAMKO-jSUUfcVAwdOOP2woj5ZtvAKdw
Message-ID: <CAEmnEreC6_qWp3i=ragaaDyXCPw_=L7UG4LuLtu7jH-+Y6G4Hw@mail.gmail.com>
To: Éric Vyncke <evyncke@cisco.com>
Content-Type: multipart/alternative; boundary="00000000000003b688062f128e62"
Message-ID-Hash: BFSHCO3N6FOGOFPBW4JOGOFAGBVJHNU6
X-Message-ID-Hash: BFSHCO3N6FOGOFPBW4JOGOFAGBVJHNU6
X-MailFrom: aaron@letsencrypt.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-acme.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: The IESG <iesg@ietf.org>, draft-ietf-acme-ari@ietf.org, acme-chairs@ietf.org, acme@ietf.org, ynir.ietf@gmail.com, gih@apnic.net
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [Acme] Re: Éric Vyncke's Discuss on draft-ietf-acme-ari-07: (with DISCUSS and COMMENT)
List-Id: Automated Certificate Management Environment <acme.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/QCOamlbr1YnNZW9poRE1ACcy8HE>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Owner: <mailto:acme-owner@ietf.org>
List-Post: <mailto:acme@ietf.org>
List-Subscribe: <mailto:acme-join@ietf.org>
List-Unsubscribe: <mailto:acme-leave@ietf.org>
Hi Éric, Thank you for the comments and discussion! I have updated the working copy <https://github.com/aarongable/draft-acme-ari/pull/96> with a number of these changes, and will publish a new version of the draft soon. My comments and responses are inline below. On Thu, Jan 2, 2025 at 5:49 AM Éric Vyncke via Datatracker <noreply@ietf.org> wrote: > Éric Vyncke has entered the following ballot position for > draft-ietf-acme-ari-07: Discuss > > ---------------------------------------------------------------------- > DISCUSS: > ---------------------------------------------------------------------- > > ### Section 4.1 > > I think that the example is wrong for HTTP request, rather than > ``` > GET https://example.com/acme/renewal-info/ > aYhba4dGQEHhs3uEe6CuLN4ByNQ.AIdlQyE > ``` > it should probably be > " > GET /acme/renewal-info/ > aYhba4dGQEHhs3uEe6CuLN4ByNQ.AIdlQyE > Host: example.com > " > Thank you, I have fixed this example. > Also in this section, should the note about prefixing a "00" when the > serial > number is a negative number be more than a simple note but normative ? Or > if > this is per default in ACME, adding a reference ? > This is in reference to an encoding requirement inherent to the Distinguished Encoding Rules (DER), which themselves are mandated by X.509 and RFC 5280. Due to the two's-complement encoding of ASN.1 Integers in DER, if the leading zero byte were omitted, an encode-decode cycle would transform the intended integer serial number into an unintended negative integer. It is not a requirement introduced by this document, nor even by ACME. > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > > ## COMMENTS (non-blocking) > > ### Lack of HTTP-dir reviews > > I can only regret that there was no HTTP directorate review for this > document > as one of my DISCUSS and one of my COMMENT are related to HTTP. > > ### url should be in uppercase > > I have detected some "url" that should be "URL" as it is an acronym. > Good catch, I have fixed the two instances of this in Section 4.1. ### Section 4.2 > > Is the first `Conforming clients SHOULD provide this URL to their operator` > correct ? I would assume that this JSON reply is sent by the ACME server > and > not by the client. > You're correct that this JSON reply is sent by the ACME server. But some ACME clients have logging or other notification capabilities which they can use to inform their operator of exceptional circumstances. This sentence is saying that, because the explanationURL is intended to lead to human-readable documentation, the client should surface the URL to its operator so that a human can actually read the documentation if they want to. > Is the `Retry-After` the most suitable HTTP header ? I.e., while RFC 9110 > section 10.2.3 is not really specific, [Mozilla > spec]( > https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Retry-After) > seems to indicate that it is not appropriate for a 200 response code. As I > am > not an HTTP expert, I am ready to be corrected of course but I would think > that > using a new key in the returned object would be neater. > I've gone back and forth on this myself. We chose Retry-After because many HTTP clients already have built-in support for respecting this header, and it does fundamentally carry the correct semantics. From the server's perspective, the client should not come back until after that time period has passed (to prevent overload). From the client's perspective, it is incentivized to come back as soon as possible after the period has passed (to get up-to-date info). If others with more knowledge and strong opinions about HTTP tell me that this is an absolutely horrible idea, I'm willing to change it, but as of right now I still think it makes the most sense. > ## NITS (non-blocking / cosmetic) > > ### Appendix A > > It seems that the year of this certificate is 0000, was it the intent ? > The validity interval of the example certificate is not relevant to the purpose for which it is used in this document, so I chose to make it an obviously-unusable value. I'm happy to change this if you like. > ### Section 4.2 > Suggest to use a more recent date (rather than 2021) in the example. > Good call, done. Thanks again, Aaron
- [Acme] Éric Vyncke's Discuss on draft-ietf-acme-a… Éric Vyncke via Datatracker
- [Acme] Re: Éric Vyncke's Discuss on draft-ietf-ac… Yoav Nir
- [Acme] Re: Éric Vyncke's Discuss on draft-ietf-ac… Eric Vyncke (evyncke)
- [Acme] Re: Éric Vyncke's Discuss on draft-ietf-ac… Yoav Nir
- [Acme] Re: Éric Vyncke's Discuss on draft-ietf-ac… Zaheduzzaman Sarker
- [Acme] Re: Éric Vyncke's Discuss on draft-ietf-ac… Aaron Gable
- [Acme] Re: Éric Vyncke's Discuss on draft-ietf-ac… Eric Vyncke (evyncke)