IETF Logo Mail Archive

Re: [Acme] [Technical Errata Reported] RFC8555 (6950)

Jacob Hoffman-Andrews <jsha@eff.org> Fri, 05 January 2024 21:15 UTC

Return-Path: <jsha@eff.org>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C9A48C14F60B for <acme@ietfa.amsl.com>; Fri, 5 Jan 2024 13:15:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.109
X-Spam-Level:
X-Spam-Status: No, score=-2.109 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=eff.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AIGu3RctaFkJ for <acme@ietfa.amsl.com>; Fri, 5 Jan 2024 13:15:01 -0800 (PST)
Received: from NAM10-MW2-obe.outbound.protection.outlook.com (mail-mw2nam10on2093.outbound.protection.outlook.com [40.107.94.93]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 262D1C137368 for <acme@ietf.org>; Fri, 5 Jan 2024 13:15:00 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=C4wCmZLBZhXT1+jB5pQuEAhiLhwUYxF/N5bomeMvH1QTrOAyNl+A/EXP7J8ao7IK1wQL7pKAPhiqFUM9ZYdqoLZLUpCUUf6Y1JDATncTSTbCY9g6uOHbwiEt3Qv3mf596G4lAdkA2Lf1aT3DlpQTbzjdHPGHEVaDVOM0CCAHoaHpw069LIJn+6VJthA3Mp2CooQKhnBlQAU6Lq+zYbg5YgrzRX05XX/6lMO9BQwbBfFc2A5ZyqKrj7KGmZBdUtXXCkmZdDhTiU6i+WkN9/RN/GFo560YRfCP5Idm76z6smKE2zQgrOriVaKvb4hugwQDUS3tQNsR55q4GnrViCg0Gg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=dKkMJ9O/1+60A2AzFas0tKnXBz8P9ZR63xNSMlpKaEw=; b=Mp6LEltl47DZ46SGBntEFuffF1Vn8iWiyEfxId51kgeOYM6H8uubAnbO7fOWL8e9gZTXhOvEWxkROD1WQ6xFJ8sLDvSaO4VeDKogerkHlotFcEzN/4Jtw/nRL1QNShAp/xYzNRUzPCjLdacCQWrqGwoCNsXmZ7HcRWSzmSPrdWEQ98fb9jwZQABczVff8hQOrqIoD+C/vMm4jJ1V/xM+nkMIruhw70KQ9eTqdG7/CjJkXPNdXrdIp+OgUIu17Fh5a1/11d87/wni7JQbQz7Yq2soKduUPSR7XQk/d7SDxT1aBhX6o8aKAY2SPOmkfDUhSNMB4jyq/nSmqIScHDSedA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=eff.org; dmarc=pass action=none header.from=eff.org; dkim=pass header.d=eff.org; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=eff.org; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=dKkMJ9O/1+60A2AzFas0tKnXBz8P9ZR63xNSMlpKaEw=; b=SknazyHDTgxwm7D5J30wfRP1OAe5WF33v/4wsYYGOs/8vlzcsRxETSRvnu9ExlbKFPQuGoJQvHWsdbq/zWRIvS609CiYZYxDms7iH87emJCwxvRGvc/I2uHhwQyk+IJ4HvX4tCi+AnycfMhAzx5WkSx2D0qfVjzxxgUs5GQYdflNUmzMSuJHn8ewGpg+OBWKw14h3+tOWpmXzUN8Zf5PxxcARDfgBnyEgjiNrpZQQL0o+xia3UEzb992s5DFSH1zwd/Dkphs13FYZ+az2u802wy+Sm+UgfT5PU1e9cTCxZwsR8PmT14xSH5Dc3VlzQiNqr33WoPxopPOf5Sx1yrE0A==
Received: from CH0PR20MB6708.namprd20.prod.outlook.com (2603:10b6:610:18f::8) by CY8PR20MB5595.namprd20.prod.outlook.com (2603:10b6:930:92::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7159.16; Fri, 5 Jan 2024 21:14:58 +0000
Received: from CH0PR20MB6708.namprd20.prod.outlook.com ([fe80::b246:2190:f003:eda8]) by CH0PR20MB6708.namprd20.prod.outlook.com ([fe80::b246:2190:f003:eda8%2]) with mapi id 15.20.7159.015; Fri, 5 Jan 2024 21:14:58 +0000
From: Jacob Hoffman-Andrews <jsha@eff.org>
To: Deb Cooley <debcooley1@gmail.com>, "lloyd.wood@yahoo.co.uk" <lloyd.wood@yahoo.co.uk>
CC: "rlb@ipv.sx" <rlb@ipv.sx>, "jdkasten@umich.edu" <jdkasten@umich.edu>, "rdd@cert.org" <rdd@cert.org>, "ynir.ietf@gmail.com" <ynir.ietf@gmail.com>, "acme@ietf.org" <acme@ietf.org>, RFC Errata System <rfc-editor@rfc-editor.org>
Thread-Topic: [Technical Errata Reported] RFC8555 (6950)
Thread-Index: AQHYXf8OhZwgGgDlakOATFPawuo8tbDNWsSAgAGKqICAAAehgIAAAf8AgACLWNY=
Date: Fri, 05 Jan 2024 21:14:57 +0000
Message-ID: <CH0PR20MB6708C0A10A1AD0BC7D598297DB662@CH0PR20MB6708.namprd20.prod.outlook.com>
References: <20220502083134.BDA48E5311@rfcpa.amsl.com> <CAGgd1OeY01bGe+mgNo-UjjcFyYKGVLaBPgDFOJG1dusE+R9m-Q@mail.gmail.com> <CAGgd1OetWp7k-dbRTNr4XT3K+seZGsWgO2rsMghYhXTefy+SJA@mail.gmail.com> <145154801.12995201.1704458497262@mail.yahoo.com> <CAGgd1OceuyVxeudN9UKnmPNZbU7iE1M6EEHj1o8Ofb-ATyyY-A@mail.gmail.com>
In-Reply-To: <CAGgd1OceuyVxeudN9UKnmPNZbU7iE1M6EEHj1o8Ofb-ATyyY-A@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=eff.org;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: CH0PR20MB6708:EE_|CY8PR20MB5595:EE_
x-ms-office365-filtering-correlation-id: edcd7f6d-c836-4fa5-9a7b-08dc0e335f00
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: Q+fOIhq0fKd3j+AmPqNwQ2u4B2aBiLqtV2Bs8Rt+J5C9jGGLcgbEj+V3CP9OalvejTlWBxXnD0+/ehzyxg45IrVO1tkDpDa1FJMpUyS5P/LnHSieC8ZQ+5iACpGvFDtMEdxv9+yB9cGic76Xmkj7XulCEUmb76TMRZjg9B/qqghOj2hqohgEWGxU/rQ8wwpCr+rCE5R6g8Pu5xxUs2YabDzyFN7tkCAXbDJcgovkW/cz5tazxNaodny3SdMbQvpB8yzVkcnK+7JlP/CJtZ4+w4FCQ+OrV848tJ5tyPiujBT5xib70o3Rs/Vz6O0JAjRgjCG81mHxwH7ayXWOejMvd3sWNNjcs5Gj5ogEVvA2Fv5+ooJNxkIpjFzS+jwra9rWPddEVN2+crzHbOdyRlDlHR9wYzniXbvBBkhE67iLLLti439cXfBUKC6jz0q6r4zHzfx4Du/7Y+KHriWDXR2rm1PVltsXQZAs5m3kECjDmohCcQ87KN8i/B3v+JThB/RdQGfxit4NXJXwrvKjbx2/Xf6qWZrvJUDLJ6xHMjHy7ouuYeCVDSZatulE5ivM1+EDV0txWaqEl4AElBF9cRj1GWPdKT7RWyUf3OP5uwTjY6fKZ0EAW6qIlQ+iDe8I2yRgJBaqKV9oZdjXrCuwlVPuyFg5foVux5hzlI0Q3HtCtw0=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CH0PR20MB6708.namprd20.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(39850400004)(136003)(346002)(366004)(376002)(396003)(230922051799003)(1800799012)(64100799003)(186009)(451199024)(55016003)(26005)(6506007)(71200400001)(478600001)(7696005)(966005)(9686003)(122000001)(38100700002)(33656002)(86362001)(2906002)(4744005)(8676002)(54906003)(41300700001)(52536014)(66574015)(64756008)(5660300002)(38070700009)(66446008)(91956017)(66946007)(110136005)(76116006)(66476007)(66556008)(316002)(8936002)(4326008)(43620500001)(15398625002); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: fuoNjvsLsNTvNvxAgd8d3MHaWmNKwSwJ22QITBjXtsbHt1sMz98ki/gLkZQLiCr+kP0DjznjSlwlJv2OdeytGXIxjadnoZy3np3e5gB+3CJRF12yFXXN10UO9FCdmcFdGh60b9fUhXfYa6/KGhXEU9MocrEBVJXsYcWWRfWaQ88k972hvkg5q0P8sQKqRqwMQjVuC/aNOu0Nzn5bWgvIgWudwM9/E2RjAsRuupFwBiQ4vwj7lkGehH2Kd0HhK5elSsEks4cg9MmA/ewqtiuCjeiP/qDhVFgELabKfrCgAD6L5lPygSWar42k/m91JMQrveX7xW7cQPJANZVz7x/s7/N4oQqhx5szueZb78znjnXIl6g3+WdhS9uQKTlu07umLpLoSh3INMWq/PToeviO4V789/TvrXYrsvEpxJ8Y321GyA3a5DWNBpj+J+RYQrx1VF3HsBfdvwhTdaZGlZIBqSqwovICZDW/aB3cGabCOcPadUHYw8vZ1IAK2MSd1MLKyuxt3P82Gf6WeObLXBXHNZYhr2Kud0etxnyWujIDnCG68lGz1rZbXAOaiRtAFvyC2Y0WvlLJtFoS2gbLguXCla2tKPpxwVCFAZt19QS+uNjePJEh7QMZfhOMGYCF4s4AqeJ9ydqNzoCIBaZKS4lsOdqEG8NkBnzrnUABt9eL5gQc8H2zUurtQRoCuqIFVi8JtzURareWbwfez1r1HtATqNi6IG++kHiUXZjjondOTS7+7SrVA6vYAlREaTFvcIOONcx3fhHwzraaJ58XuJ+CPUTuqbTntOsrnWkzoja9ztRhJOO3Z/F3kpdWtnPH4XjKbgBeMxoXV0a9ZSMolQiTRslASB4YMFSsICnfxxaEasVp0UHA1VuzKHH1doH5o8NbZ5t7tQUbIK1Ttx6DxPRlGfT1783SX2PvRDGiXHagGOEzGiA3hAhbNEircAc176cAKLEI+3x4oOBTICDQ9s/dGbv4jy5OBmQyPCqcB1/bljcN9/Dvcn+KORVgUNyell3VBktu8vYcZU0aqy1qWmU7wHbBZg3noejlK3twiNzQwm/F+drn+4bbAVRhEQxz+Q9nkqDgfCZVHlDYyzpTV3nNRKAUPNui2vyH1N8JYDxVPTI+ww7V7rUbLvW61b+IhCmaPtocZ8E4TIaFsZmYPU7Ovkxhuc4K4v3ua2OkWu2Ro03K5lBqarBbYwgJSSuVYxYV9iLwKfh4Lj1w9Fr2HNTFY5A2vmLhsS/SXZHqmISHUiLlGWqFqUF3waGRP0LJU1k4GD6NHxNxg/FrUD3o+nBLB7EtQzoaXdyfYpujsWCII3Qvz3y/V1WgXKQgdj2TrZ4ZbnzjB2Hi9ojvYJIH02XuSECDQCVYpfzEFJjseV/xxSlV54gAxjCZISRMBX9rZPrHsdWEXYGrGI5UuxHfinNTssfPGeuQ7FVBeaZ4/OjSMLe5MlbNcA1u8irOdzIcDcH4ljPKSjCwjV9S+AuPKI/zT/ld0fWvX4njTf+X+AysZRHDN86gChews4nqXhTRyJPJQTjfNOYuvXBih9zTmn7IPUv5r2ROAXAgezdaDtk5/30=
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: eff.org
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CH0PR20MB6708.namprd20.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: edcd7f6d-c836-4fa5-9a7b-08dc0e335f00
X-MS-Exchange-CrossTenant-originalarrivaltime: 05 Jan 2024 21:14:57.9473 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: cb51a9a9-63f3-48a7-9375-5dc6cfad72b9
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: rhjRMGVNVvo6r28sKT4SeAnxSv/DvayLxRgXjYxcGYmdnocxcgL+qta/NdW7or/3
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY8PR20MB5595
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/_vfYCoBJwSE55xhhnvMxZUv_Jus>
Subject: Re: [Acme] [Technical Errata Reported] RFC8555 (6950)
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Jan 2024 21:15:05 -0000

Deb, I agree with your analysis: I find the existing text sufficient.

Conversely, I worry that specifying entropy in terms of "generating X characters from the base64url alphabet" is likely to go wrong, with people handcrafting random selection algorithms. The spec does try to allow for multiple implementations, but as an FYI what we do in Boulder is generate 32 random _bytes_ and then encode them into base64url:

https://github.com/letsencrypt/boulder/blob/c1f7de06e9f82fb6b7a599795fe7e37209733d9f/core/util.go#L62-L75

Lloyd, for general interest, this spec aimed to be compatible with the Baseline Requirements of the time (though now the direction has flipped, and the BRs normatively reference this spec). But the BRs still say:

https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.1.pdf
> Random Value: A value specified by a CA to the Applicant that exhibits at least 112 bits of entropy.

And that definition is still used in the non-ACME validation methods.

v2.23.0 | Report a Bug | By Email