Re: [Acme] AD review of draft-ietf-acme-authority-token-05
Roman Danyliw <rdd@cert.org> Wed, 28 July 2021 02:00 UTC
Return-Path: <rdd@cert.org>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 410603A1649; Tue, 27 Jul 2021 19:00:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gdxrHIRlk6C4; Tue, 27 Jul 2021 19:00:11 -0700 (PDT)
Received: from USG02-CY1-obe.outbound.protection.office365.us (mail-cy1usg02on0133.outbound.protection.office365.us [23.103.209.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1EB793A1646; Tue, 27 Jul 2021 19:00:10 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=KWx37G0w9OX7Csci2S5PRqHh9ogJMZ3iHa7kW/Kn7M8Mr+SdHVueoGwR7r8u7OeXrz8qWgLwLbVp7nD1Lb2F1901Mf08Nr88MW6q3IBC3/5chxRsu1z7HbZBHqlt5kyhYN3AjHRzmc/DErOHgiIKQRFSMa9zkZbpNtV65Xnr2KlkuRyoXpFLphOvvbdeGL9rZeuZY7RRPZVVNhXsWY6pCqX8RLVe90XqNvdQEih9jsysrzUAkpt2ceviSj2v7NJVq8KDAVZX2MRO7ZwI17ydnMs7gDgrTJ5Jce0DScPVZQ3HfcpeejVJn+pW1Ln1cBVDy0USofiHwXqRX2o0fym9ew==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=y/riRi9etUV82EfJmqlo0lzOeTciHBz6XSf2ueVQrxQ=; b=1XEvtYOHk3DeUl7/jYClKGLUxroGFDRR4fmfOeBc0iXvt3eR20HaOafhM4lctWesVOQvpwLifpkKqYqss4gClzxwW8tDZgyr+vo3VLfFTUY+S5C3wAJfUAUDXxRV/QdNrbOd3yuOIqkmedZmbqrgqClVHAS/A171m+WZKjWgr8T+N22o+7armYqc8rHE07EyWkDofNILv54dUFmMQi6eAob93RmS7F3PHravtUrvyn2QBgV0gQkOamfslU5ZCvVAC5ofsN4GFkNp/aCLhfw7uZejSzOz5+uN/LGUIBZBlKWNbprSQY6FkVP0QLklgAphRo3KgJFYRj228oLx6DZgBA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cert.org; dmarc=pass action=none header.from=cert.org; dkim=pass header.d=cert.org; arc=none
Received: from DM3P110MB0538.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:414::9) by DM3P110MB0491.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:413::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4352.25; Wed, 28 Jul 2021 02:00:08 +0000
Received: from DM3P110MB0538.NAMP110.PROD.OUTLOOK.COM ([fe80::8156:6fdb:538a:7d36]) by DM3P110MB0538.NAMP110.PROD.OUTLOOK.COM ([fe80::8156:6fdb:538a:7d36%5]) with mapi id 15.20.4352.031; Wed, 28 Jul 2021 02:00:08 +0000
From: Roman Danyliw <rdd@cert.org>
To: "Peterson, Jon" <jon.peterson@team.neustar>, "acme@ietf.org" <acme@ietf.org>
CC: "draft-ietf-acme-authority-token@ietf.org" <draft-ietf-acme-authority-token@ietf.org>
Thread-Topic: [Acme] AD review of draft-ietf-acme-authority-token-05
Thread-Index: AQHW6ejlOEYeQcveQkikId7N6kJ3Waq2j80AgCoPh8CAW30v8IAEfNGAgAtGD2A=
Date: Wed, 28 Jul 2021 02:00:08 +0000
Message-ID: <DM3P110MB053877433E71A708207C539CDCEA9@DM3P110MB0538.NAMP110.PROD.OUTLOOK.COM>
References: <9FF54993-6265-49F5-9663-63A99DB7762B@akamai.com> <5bcc3911ebce4a78a26a98df1575210d@cert.org> <cf930a798fcd433c889a61ca16f0a3d0@cert.org> <DM3P110MB05386DAABC8EAFF8FF322ECFDC189@DM3P110MB0538.NAMP110.PROD.OUTLOOK.COM> <DE0959B4-84DC-40AE-A13D-40C8F79D9E4E@team.neustar>
In-Reply-To: <DE0959B4-84DC-40AE-A13D-40C8F79D9E4E@team.neustar>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: team.neustar; dkim=none (message not signed) header.d=none;team.neustar; dmarc=none action=none header.from=cert.org;
x-originating-ip: [71.112.171.248]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 3a200d03-0cc3-4312-f7fa-08d9516b6d1f
x-ms-traffictypediagnostic: DM3P110MB0491:
x-microsoft-antispam-prvs: <DM3P110MB04917B908E3376B7DC11B2D0DCEA9@DM3P110MB0491.NAMP110.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: G9/jGJrnSqj65di34Vw7FAiL8vZVp9UYSI1luwFXW6BW+NgoiuSnnTkUCWdIVVX+wbaj8mBcWohO1otWfe2KZTUSA3FlfEKFLedabjiUH6GuCEgy0gwYYeCi9pUmKTWE0F9+bq0Zbd4PZGyIDzQI2+EEPsGNWeEAXq/xSYHI9hyBocoIBOjPKHkv8VG4hpdd0jM/AE07wqqox/sF8yS7SKTilN8pwfeYprbKkZiqIwqetaSXhDpBQ/yyyqDsD8i/LKtaCH8RVzWHxGhRjB64jRj9iiRUwlfkCoME+TqE4BcvKpqUYUeIQ798k3XW4z7O/DXWMDrOEggawc4ephgGXkpczT7fgdy2scH4H9CsBk9nMN1J9EWvLRf5DwakVOhflfbFzGWvBUGtfALYfnkkb0nxSJAwrrRs3KunwEcIgGDsUneT2AeH+fc/kjugnt65UyJFCgDFxqg9YSyjQXsuSuGztJyE1s5ZjUqAtZvAYyuho6TVtxHCEOU5RDss2KlcDIsflXCsvSvMxV6uc7iSitGmqAlPVi5KCETPsh2EZTiJqRyu7EO/zmbtcu55WnEmAeJ3kbi8cIgiANrdw5Z17DGxQFNfpnUdauJPrx5gmUTpKZlJ7TJqBHvfK4h1hSqU
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM3P110MB0538.NAMP110.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(39850400004)(376002)(136003)(396003)(346002)(366004)(2906002)(64756008)(33656002)(66556008)(66446008)(66946007)(66476007)(26005)(86362001)(83380400001)(4326008)(38070700005)(9686003)(6506007)(8936002)(110136005)(53546011)(5660300002)(316002)(55016002)(76116006)(52536014)(7696005)(8676002)(186003)(71200400001)(38100700002)(508600001)(122000001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: VT3bBqdwv01siEt3fGfh0RB4eFqu1cMzSsduhj+ZbPsslmLXAzF46dPjcUNuR0tJpReC8nfxlBXsCVtWGRNrtB0CCpPZtzHTETUnixIWDD8aXBlr2thulFFWHumkB6FXMYY60AkZghPv+DNEHoRspn0eSdgTiNBXAr9LMR6nCSE99k9p8YCcR2ksUQjqAig+EitTMTkDP3nXJcTu7AFQQ2RoeCqKUATFYHVlmGJvE2t86kCtrDpaud9W8NXtfd5d3jk2n4Bsb6ct5eqAGE0/foAM5S8xWW/ZL3Zp2RUP9mU81JA4BzDiRJ5omSpTB2JILDYangxBrL2fGHwG2x2/uPkZmPVfH3w57MpFBHp6o5PSPuzfV+N7WFx8qvXOhAPzq0CWfXzqYjQF2bPsfTF2dWgS4ggt7N5jKeRCXIck3B1eHRXe1M2iKTStQJN2c3BbJXhb0usJO9lUUjQhr3oyo/O5wohIi4dpFV1/0uBk0YnvtOCjxeAhjHEZjt5Qjr5pgXKOyEqiw5cMVp3Cizj8iewgcyN+xEaN7M0aJgSBKP07KO69HTZfs5Kog9AN0mTON7gx32Koop+hqwuTV3gENwPdwJIKj3LwxZ0rNT0RktQrauHIvvwbYzM6lPgyMnjx1wjORKMR3axyIkxl4LQ+2sm3YX/aHk/x5wl827zErFdGY8+Sh+/F9f9Sr1irVGg3j97qT8OgtpeQSZISB/ndzES1f3zhthnsaMYC0jYKFDc=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: cert.org
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DM3P110MB0538.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 3a200d03-0cc3-4312-f7fa-08d9516b6d1f
X-MS-Exchange-CrossTenant-originalarrivaltime: 28 Jul 2021 02:00:08.2278 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 95a9dce2-04f2-4043-995d-1ec3861911c6
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM3P110MB0491
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/a1hupzPvjZVTCmGIlbNBRdulVls>
Subject: Re: [Acme] AD review of draft-ietf-acme-authority-token-05
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Jul 2021 02:00:16 -0000
Hi Jon! Thanks for the update in -06 and the explanation below. Please see the responses in line. I've deleted all of the items that have been resolved. > -----Original Message----- > From: Peterson, Jon <jon.peterson@team.neustar> > Sent: Monday, July 12, 2021 6:57 PM > To: Roman Danyliw <rdd@cert.org>; acme@ietf.org > Cc: draft-ietf-acme-authority-token@ietf.org > Subject: Re: [Acme] AD review of draft-ietf-acme-authority-token-05 [snip] > > > > ** ID-Nits reported the following issues with references being > > > > listed but not > > > > used: > > We divided references into normative and informative, and nuked ones that > seemed particularly superfluous (including say acme-telephone). > > For the most part, the new version incorporates your proposed changes to the > text throughout (and hopefully it's a little better editorially). There are only a > few cases where this warrants a bit more comment: Thanks for this clean-up. Are you use that you need the downref to RFC 8396? It's use in the document seems to be for illustrative purpose. If so, we should call this DOWNREF in in the shepherd’s report. > > > > > > > > ** The tkauth-type="atc" type doesn't seem to describe all of > > > > the required information described by Section 3.1 - 3.3 and Section > > > > 9 (Security > > > > Considerations) as being needed for a token format. Specifically: > ... > > > > Perhaps this section is spelling out > > > > requirements for both of those collectively? If so, this should be > > > > explicitly stated (perhaps in the intro to Section 3, reminded in > > > > Sections 4 and > > > 9). > > We've taken the tack you suggest above of clarifying that this requirements > need to be satisfied by a combination of authority-token and its tkauth > subtypes. Thanks for these updates. One remaining thing -- this document seems to be defining and registering the “atc” claim (as in this is the base reference for the claim). However, no guidance is provided on how to compute the fingerprint. On the other hand, Section 5.4 of draft-ietf-acme-token-tnauthlist covers this topic in depth. Is there one fingerprint computation method for all instantiations of the atc claim, or does the procedure vary by the selected tktype. If it’s the former, then the fingerprint computation needs to be here or a normative reference is needed to the tnauthlist. If the method varies by the tktype, then please explicitly state that. > > > > > > > > ** Section 4. Should the values of tktype be constrained to the > > > > IANA "ACME Identifier Types" registry? > > This is another one where I don't have a super strong feeling... it would > certainly be helpful if it were, but it doesn't seem like it's worth normative > language to that effect. I personally do feel that constraining the values of the tktype to some defined set of code points would be helpful and that there would be an identifier-to-atc sub-field mapping. However, if the WG doesn’t want to do that, then minimally we need some text here saying that the ACME client will somehow know how to populate the atc sub-fields (and which ones) based on local configuration or declare out it knows it as out of scope. > > > > ** Section 8. This text registers "atc" as an ACME identifier. > > > > When and how is that used? I thought that identifier profiles > > > > specified an identifier and that the atc what the challenge/verification > type. > > This was a point of misalignment with tnauthlist; we've rectified that by > deleting this "atc" ACME identifier. The inter-relationship between the ACME identifier and validation registries still doesn’t appear to be threaded. Note: (a) Section 9.7.8 of RFC8555 says the following about the Validations Method registry: The "Identifier Type" field must be contained in the Label column of the "ACME Identifier Types" registry. (b) The current (-06) text in Section 7 says: This document requests that IANA populate a new ACME Validation Method (again per [RFC8555]) for the label "tkauth-01", identifier type "atc", an ACME value of "Y", and a reference pointing to [RFCThis]. The current text noted in (b) is using an identifier type of “atc” but (a) explicitly says that only identifier types in the Identifier registry are permitted there. Shouldn’t the identifier type read “TNAuthList” (that’s registered in the draft-ietf-acme-authority-token-tnauthlist)? "atc" isn't a valid ACME identifier type to include in the new order request ("atc" is a tkauth-type). The end-to-end example in Section 4 draft-ietf-acme-authority-token-tnauthlist suggests that. Because the new validation method and new identifier each reference each other, but are in separate documents, we have a circular dependency this first time (which isn’t necessarily problem, we can handle that with a “RFC cluster”). Subsequent identifiers using this challenge won't have that issue. Editorially, this entire IANA section would be clear if each distinction ask to IANA was a separate section. I’m sharing this in advance because this has been a consistent COMMENT provided another AD across a few documents in the IESG review process. Regards, Roman
- [Acme] AD review of draft-ietf-acme-authority-tok… Roman Danyliw
- Re: [Acme] AD review of draft-ietf-acme-authority… Salz, Rich
- Re: [Acme] AD review of draft-ietf-acme-authority… Roman Danyliw
- Re: [Acme] AD review of draft-ietf-acme-authority… Roman Danyliw
- Re: [Acme] AD review of draft-ietf-acme-authority… Roman Danyliw
- Re: [Acme] AD review of draft-ietf-acme-authority… Peterson, Jon
- Re: [Acme] AD review of draft-ietf-acme-authority… Roman Danyliw
- Re: [Acme] AD review of draft-ietf-acme-authority… Peterson, Jon
- Re: [Acme] AD review of draft-ietf-acme-authority… Roman Danyliw