IETF Logo Mail Archive

Re: [Acme] AD review of draft-ietf-acme-authority-token-tnauthlist-06

"Salz, Rich" <rsalz@akamai.com> Wed, 14 October 2020 18:32 UTC

Return-Path: <rsalz@akamai.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F1B5C3A0FBB for <acme@ietfa.amsl.com>; Wed, 14 Oct 2020 11:32:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.299
X-Spam-Level:
X-Spam-Status: No, score=-3.299 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-1.2, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9B2HysZo8Jfc for <acme@ietfa.amsl.com>; Wed, 14 Oct 2020 11:32:07 -0700 (PDT)
Received: from mx0b-00190b01.pphosted.com (mx0b-00190b01.pphosted.com [IPv6:2620:100:9005:57f::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 491503A0FB9 for <acme@ietf.org>; Wed, 14 Oct 2020 11:32:07 -0700 (PDT)
Received: from pps.filterd (m0122330.ppops.net [127.0.0.1]) by mx0b-00190b01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 09EIR67a020612; Wed, 14 Oct 2020 19:32:05 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=from : to : subject : date : message-id : content-type : content-id : content-transfer-encoding : mime-version; s=jan2016.eng; bh=7AiH0IKn445WFgr9BCUrEbAkNo4v68Y/WlfR7V0DPmg=; b=lLf2k+aYYoyYP2mzcFdicLWYov7MOTEciLNVWudgCsNhAzjO7jOn9C4TlC/kFfa5vyT8 Usspf9moKPDVAJFQbeybd6ZDISLlnM2OjtAsd6P0K5eHKh9jpWicKyOTCMO8/Igz5fv6 TBw7Qrxxqfkc+7a8Q5x9kSffqpxG6x1kdd392+RDQavRBW9RSolkUeGMrOzFWaElqoVw My9aNH0euq05hCTNmtFX2490qJP8mpaZSgcxVHZldkoNmupYlS6sRGbhiDvDWTZsZ/uP KVTjCVAlkRmgOMozoJJD26bzjWLkMrvFPr/y8Wx4IUnB8IucDnZYvyQDm3smm5FriWxF iQ==
Received: from prod-mail-ppoint6 (prod-mail-ppoint6.akamai.com [184.51.33.61] (may be forged)) by mx0b-00190b01.pphosted.com with ESMTP id 34350w3gkx-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 14 Oct 2020 19:32:05 +0100
Received: from pps.filterd (prod-mail-ppoint6.akamai.com [127.0.0.1]) by prod-mail-ppoint6.akamai.com (8.16.0.42/8.16.0.42) with SMTP id 09EIKDD6006639; Wed, 14 Oct 2020 14:32:04 -0400
Received: from email.msg.corp.akamai.com ([172.27.123.32]) by prod-mail-ppoint6.akamai.com with ESMTP id 34389xrmn8-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Wed, 14 Oct 2020 14:32:04 -0400
Received: from USMA1EX-DAG1MB3.msg.corp.akamai.com (172.27.123.103) by usma1ex-dag1mb2.msg.corp.akamai.com (172.27.123.102) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Wed, 14 Oct 2020 14:32:03 -0400
Received: from USMA1EX-DAG1MB3.msg.corp.akamai.com ([172.27.123.103]) by usma1ex-dag1mb3.msg.corp.akamai.com ([172.27.123.103]) with mapi id 15.00.1497.006; Wed, 14 Oct 2020 14:32:03 -0400
From: "Salz, Rich" <rsalz@akamai.com>
To: Roman Danyliw <rdd@cert.org>, IETF ACME <acme@ietf.org>
Thread-Topic: [Acme] AD review of draft-ietf-acme-authority-token-tnauthlist-06
Thread-Index: AQHWolhPsZAcwYLgDUGm4886xVzAhQ==
Date: Wed, 14 Oct 2020 18:32:02 +0000
Message-ID: <BC04C693-AC93-47C4-A115-FDC995A8412D@akamai.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.40.20081201
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [172.27.118.139]
Content-Type: text/plain; charset="utf-8"
Content-ID: <0D390E83BEDD84429F605856421E7883@akamai.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.235, 18.0.687 definitions=2020-10-14_11:2020-10-14, 2020-10-14 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxlogscore=999 adultscore=0 bulkscore=0 phishscore=0 mlxscore=0 suspectscore=0 spamscore=0 malwarescore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2009150000 definitions=main-2010140130
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.235, 18.0.687 definitions=2020-10-14_11:2020-10-14, 2020-10-14 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 spamscore=0 malwarescore=0 phishscore=0 mlxscore=0 bulkscore=0 lowpriorityscore=0 adultscore=0 impostorscore=0 mlxlogscore=999 suspectscore=0 clxscore=1011 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2009150000 definitions=main-2010140131
X-Agari-Authentication-Results: mx.akamai.com; spf=${SPFResult} (sender IP is 184.51.33.61) smtp.mailfrom=rsalz@akamai.com smtp.helo=prod-mail-ppoint6
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/TcZS2C3_K8hWOH1xSZRiEKxoeKY>
Subject: Re: [Acme] AD review of draft-ietf-acme-authority-token-tnauthlist-06
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Oct 2020 18:32:09 -0000

Authors,

Reading Roman's review, it seems that this could be handled just as editorial changes.  Please let the WG know if you think there's any semantic changes when you update your draft.

On 10/14/20, 1:03 PM, "Roman Danyliw" <rdd@cert.org> wrote:

    Hi!

    I performed an AD review of draft-ietf-acme-authority-token-tnauthlist-06.  Below is my feedback.  There might be some negotiation between what text should be here as opposed to draft-ietf-acme-authority-token.

    ** From idnits (with commentary)

      == Unused Reference: 'ATIS-1000074' is defined on line 565, but no explicit
         reference was found in the text

      == Unused Reference: 'RFC8588' is defined on line 583, but no explicit
         reference was found in the text

      == Outdated reference: A later version (-05) exists of
         draft-ietf-acme-authority-token-04

      == Outdated reference: A later version (-02) exists of
         draft-ietf-stir-cert-delegation-01

      ** Obsolete normative reference: RFC 2616 (Obsoleted by RFC 7230, RFC 7231,
         RFC 7232, RFC 7233, RFC 7234, RFC 7235)

    I believe RFC7235 is the appropriate replacement

      ** Downref: Normative reference to an Informational RFC: RFC 4949

      ** Downref: Normative reference to an Informational RFC: RFC 7340

    I don't believe that RFC7340 needs to be normative.

    ** Section 3.  Editorial. Please update the various dates in examples to be in 2020 (not 2016) so they more closely reflect the publication date

    ** Section 4.  Per "a CA MUST use the Authority Token challenge mechanism defined in [I-D.ietf-acme-authority-token]", does this text mean "type = tkauth-01" or "type = tkauth-01; tkauth-type = atc"?

    ** Section 5.  For clarity, it is likely worth repeating that exp, jti and atc are mandatory.

    ** Section 5.4.  The example of the TNAuthList AT seems to be missing the full payload/protected /signature structure to show the actual binding provided by the server

    ** Section 5.5.  What the semantics of the response from the authority server described here are different than what is in draft-ietf-acme-authority-token (Section 5: "... in the success case the Token Authority returns a 200 OK with a body of type "application/json" containing the Authority Token").   What is being returned here is not strictly the authority token format.

    ** Section 5.5.  Per the last paragraph, no issues with the guidance here.  However, it seems odd that this generic behavior is specified here and not in draft-ietf-acme-authority-token.  Generally, speaking all of this normative text for this protocol between the client and the TA should be specified in the authority-token draft so that future profiles (not tnauthlist) can use it.

    ** Section 8.  Please add that this document inherits the security properties of draft-ietf-acme-authority-token.

    ** Section 9.  Editorial.  Explicitly name the registry.

    OLD
    This document requests the addition of a new identifier object type
       that can be present in the identifier field of the ACME authorization
       object defined in [RFC8555].

    NEW
    This document requests the addition of a new identifier type to the "ACME Identifier Types" registry defined in Section 9.7.7 of [RFC8555].

    Regards,
    Roman

    _______________________________________________
    Acme mailing list
    Acme@ietf.org
    https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_acme&d=DwICAg&c=96ZbZZcaMF4w0F4jpN6LZg&r=4LM0GbR0h9Fvx86FtsKI-w&m=5wagpGFP9sY4Y3ecs3oagujy8ftyxN2bPkYzJK6cRP4&s=kssp7DJwcTdXjm6B-X3hceqDQAHvp-7Q2NLEwno9-Nk&e=

v2.23.0 | Report a Bug | By Email