IETF Logo Mail Archive

Re: [Acme] Next steps on draft-ietf-acme-authority-token-tnauthlist

Chris Wendt <chris-ietf@chriswendt.net> Sat, 12 November 2022 12:50 UTC

Return-Path: <chris-ietf@chriswendt.net>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 11E86C14CEEB for <acme@ietfa.amsl.com>; Sat, 12 Nov 2022 04:50:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.894
X-Spam-Level:
X-Spam-Status: No, score=-1.894 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=chriswendt-net.20210112.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yS60OA-dvM1I for <acme@ietfa.amsl.com>; Sat, 12 Nov 2022 04:50:34 -0800 (PST)
Received: from mail-wr1-x42f.google.com (mail-wr1-x42f.google.com [IPv6:2a00:1450:4864:20::42f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B0830C14EB1C for <acme@ietf.org>; Sat, 12 Nov 2022 04:50:34 -0800 (PST)
Received: by mail-wr1-x42f.google.com with SMTP id v1so9673692wrt.11 for <acme@ietf.org>; Sat, 12 Nov 2022 04:50:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chriswendt-net.20210112.gappssmtp.com; s=20210112; h=to:references:message-id:content-transfer-encoding:cc:date :in-reply-to:from:subject:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=xhwF1sF0ccxOK50qh8uh+Hj1kwlY6FdTEu1UlXYi1YM=; b=W+XVMoNjwzeuR9KeUpbREkwgRPxL5QC05PJna0r8pe8S+Q31Qs7SKLzYtZNJBS8O2+ oNHgvlo4p+8NGhkQIuGPtwAuOVGOV5axcSq3MxjRfymSQ9FSekIyIvA6YTTSKNu2ShZu H3YGN3PaEMuH0wPmyia4YNcEvee3YMqAfpSTFiUJV7s3awC1am/mHYFHDrSHg4RiW/pR ExSbVCznkjeb1l75iNsWS81a7veZPccLelOnB+cGEeeMczceKgzf4oKy2NhzCRH/Svd4 3nAw8UEo6VzWVG+/nPxCJ4pf+uDzHDflulnji4cSJ8xeAw8cNUbvzHosuZG2zfa47DRS BJwA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=to:references:message-id:content-transfer-encoding:cc:date :in-reply-to:from:subject:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=xhwF1sF0ccxOK50qh8uh+Hj1kwlY6FdTEu1UlXYi1YM=; b=K8CRv0GZpW6aLKh2lHihL5XqOc6wULfvgHtOkydjcIh3vXGkGcT4qWLSlLNbwqj+R5 tPgfSUW0ynzHlTUetekxG/zc4JnApTW9xFeK3X1bWSkc/cNi8ApJVwicfN98xIlNY9vf y0ZAyZc5RtMAtFsiUde7+fDc3hdSQkBFU1VMvvAY3OAV7HlevKRGHgh/a+wBNvFUVxy3 uwzPMR9SA1syuR+D20cbyvcTeR9kspuZFFOF2jI8KEIEjOxU/3HIPld3waObICpmTM9h XdIJsp/bZQzSS3ExXVOTtkpTYRl8mKlbt9CTT6ZXXwvR425M1bkTXy3famdXqeK0WLvE kT1A==
X-Gm-Message-State: ANoB5pl9PLKK2NVadeMaUwvGSitdtGsUA5N4WLTYCUwfrEFsLRSaEs6g AUkoNADjwhiGgP0K0IgIIJD35wIfG7U0Ts4u
X-Google-Smtp-Source: AA0mqf7ynPOKGPaIv3zB7GuZvJAngNSafe6A59SGWu12BN0VoYQRDxw9R97FGXLfrrSv4rWXdthk+Q==
X-Received: by 2002:adf:fe82:0:b0:236:5a0:9fd9 with SMTP id l2-20020adffe82000000b0023605a09fd9mr3663465wrr.610.1668257432572; Sat, 12 Nov 2022 04:50:32 -0800 (PST)
Received: from smtpclient.apple ([167.98.10.103]) by smtp.gmail.com with ESMTPSA id m6-20020a05600c4f4600b003c6cd82596esm13069851wmq.43.2022.11.12.04.50.31 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sat, 12 Nov 2022 04:50:32 -0800 (PST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.200.110.1.12\))
From: Chris Wendt <chris-ietf@chriswendt.net>
In-Reply-To: <BN2P110MB110775D11A158AFD53D15535DC2A9@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM>
Date: Sat, 12 Nov 2022 12:50:23 +0000
Cc: "acme@ietf.org" <acme@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <F8336B38-C03B-4BB8-B36F-B798F145EA90@chriswendt.net>
References: <BN2P110MB110775D11A158AFD53D15535DC2A9@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM>
To: Roman Danyliw <rdd@cert.org>
X-Mailer: Apple Mail (2.3731.200.110.1.12)
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/VZ0eO1odGoUBObCpih6RX_gfGkA>
Subject: Re: [Acme] Next steps on draft-ietf-acme-authority-token-tnauthlist
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 12 Nov 2022 12:50:39 -0000

Hi Roman,

Apologies for missing these emails.  I have updated a new version of the draft 11 to address these final issues.  

For the last comment about “x5u” vs “x5c” i have updated the verification procedures to incorporate both possibilities.

Thanks to you and Sean for guidance on other fixes as well.

-Chris

> On Oct 20, 2022, at 10:05 PM, Roman Danyliw <rdd@cert.org> wrote:
> 
> Hi!
> 
> Thanks for the WGLC to confirm the changes made to draft-ietf-acme-authority-token-tnauthlist in response to the IESG review.  I've asked the three ADs holding DISCUSS positions to re-review the document.
> 
> I also reviewed the document again and went through the diffs with the chairs and Sean Turner (ARTART reviewer)  (thank you!) to generate the following list of additional edits to make or discussion to have:
> 
> (1) Per Paul's ballot held for Francesca
> ==[ snip ]==
> ** Section 3.  
> 
> FP: the response is missing the Content-Type field
> ==[ snip ]==
> 
> Edit to make:
> 
> OLD:
> 
>   HTTP/1.1 201 Created
>   Replay-Nonce: MYAuvOpaoIiywTezizk5vw
>   Location: https://example.com/acme/order/1234
> 
> NEW:
> 
>   HTTP/1.1 201 Created
>   Content-Type: application/json
>   Replay-Nonce: MYAuvOpaoIiywTezizk5vw
>   Location: https://example.com/acme/order/1234
> 
> (2) Per Éric ballot
> 
> ==[ snip ]==
> -- Section 6 --
> In "then the CA MUST set the challenge object "status" to "valid"", isn't it up to the ACME server to do this action ?
> ==[ snip ]==
> 
> Edit to make:
> 
> s/then the CA MUST/then the ACME server MUST/
> 
> (3) Per Lar's ballot
> 
> -- Section 5.4: 
> OLD
> "ca" is an optional key, if it not included the "ca" value is considered false by default.
> NEW
> "ca" is an optional key, if not included the "ca" value is considered false by default.
> 
> -- Section 9: s/a SPC/an SPC
> 
> (4) Per Ben's ballot
> 
> ==[ snip ]==
> (3) I think my discuss point on draft-ietf-acme-authority-token about
> how the issuer is identified will also apply (with slight modification)
> to this document -- in §5.1 we have text that indicates either "iss" or
> "x5u" identifies the issuer, which I do not believe to be accurate.
> 
> ==[ snip ]=
> 
> 5.1.  "iss" claim
> 
>   The "iss" claim is an optional claim defined in [RFC7519]
>   Section 4.1.1.  It can be used as a URL identifying the Token
>   Authority that issued the TNAuthList Authority Token beyond the "x5u"
>   or other Header claims that identify the location of the certificate
>   or certificate chain of the Token Authority used to validate the
>   TNAuthList Authority Token.
> 
> 
> Why does draft-ietf-acme-authority-token allow for the possibility of "x5c", but the text here doesn't mention it?
> 
> Thanks,
> Roman
> 
> _______________________________________________
> Acme mailing list
> Acme@ietf.org
> https://www.ietf.org/mailman/listinfo/acme

v2.23.0 | Report a Bug | By Email