IETF Logo Mail Archive

Re: [Acme] AD review of draft-ietf-acme-authority-token-05

Roman Danyliw <rdd@cert.org> Fri, 09 July 2021 19:31 UTC

Return-Path: <rdd@cert.org>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 033DB3A2C83; Fri, 9 Jul 2021 12:31:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=seicmu.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wMkuGNxkr0_X; Fri, 9 Jul 2021 12:31:41 -0700 (PDT)
Received: from USG02-BN3-obe.outbound.protection.office365.us (mail-bn3usg02on0124.outbound.protection.office365.us [23.103.208.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1D7093A2C55; Fri, 9 Jul 2021 12:31:38 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=lcHuFypOKTRtgD9NMYNYpwUlqIi2QWhiLh3WXrsa0PcLwXpfDOBrFQLExvQ1A9s/WMBkMGNO77ZKB/ge8bCFodgOcKE87pw0HfIeGr7s6raBOdnLmuphLmXy92srS9g3Uyl+Ih8m5171K0Yg7w4SUw0Zxq2vmNj1CeUIrmzTwCOGweVkhrORGw2x9Q/XyKm2gqazq5h+Do+D/rmFA1cRchj/0ICOVRSvV4KCh1hAd+INr7Wvov9oJ84DdBD/c+HCLC00diWBHVR1KUlvYhcYVU3L7K03QCQ0MSmpnpTqJIZmMmXymNRiyRcl4KPouQ5zYUvd3757HyB2Sr3cS6UaYA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=v/rgz4jM/d8o1UfKW1jpC057IXF4X1wdEuLACzLKcJQ=; b=kDCtbi1p5miH7HDZwv3w2SiXYC3wcQLTddNTabZalHd6LxI2Uf2aWE4dW+sRBeDsydnqB7F/NbWyg9hbAbtvKw1MRoDEP4oIwyEJMpaBDfx0rZLdLioNG3oOxJHDwK1sI2H8D1sc94pE5govJbQoFjCYkQj0uvNlmjo7AIX1q0q4XbNUB4AE/EvOA4C3K7LNPcqmynzxQK0BtRLwhA5xAzVhnfXXkNMrhTSB1yC5GLWZRh8z2Cyha+KoBzeLRLoyaR94KQrBVxo2Ma3JkN3168nLRlNiVNyOmR2gBAWku55wp8ZH1A6w70l7y1EZm2bS7zUIhJYZn83ygTIKBTiaIw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cert.org; dmarc=pass action=none header.from=cert.org; dkim=pass header.d=cert.org; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=seicmu.onmicrosoft.com; s=selector1-seicmu-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=v/rgz4jM/d8o1UfKW1jpC057IXF4X1wdEuLACzLKcJQ=; b=K4/niVqev8qC5A/6bCseRqSrlYSjZx0T7yFMKl3aqxDahyHw33zjB89nVPU2sZsj1CkpI29LZlS22jk3Tf60FvB8LAfW8wmE8ICx0mXPHhDY7xgjvW7Gtah00et4zG2WkELf6FyVxRve6OsFhOd3D7W3kTWUog/erk/K2zNyr9c=
Received: from DM3P110MB0538.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:414::9) by DM3P110MB0508.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:413::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4308.23; Fri, 9 Jul 2021 19:31:36 +0000
Received: from DM3P110MB0538.NAMP110.PROD.OUTLOOK.COM ([fe80::8156:6fdb:538a:7d36]) by DM3P110MB0538.NAMP110.PROD.OUTLOOK.COM ([fe80::8156:6fdb:538a:7d36%5]) with mapi id 15.20.4308.023; Fri, 9 Jul 2021 19:31:36 +0000
From: Roman Danyliw <rdd@cert.org>
To: "acme@ietf.org" <acme@ietf.org>
CC: "draft-ietf-acme-authority-token@ietf.org" <draft-ietf-acme-authority-token@ietf.org>
Thread-Topic: [Acme] AD review of draft-ietf-acme-authority-token-05
Thread-Index: AQHW6ejlOEYeQcveQkikId7N6kJ3Waq2j80AgCoPh8CAW30v8A==
Date: Fri, 09 Jul 2021 19:31:35 +0000
Message-ID: <DM3P110MB05386DAABC8EAFF8FF322ECFDC189@DM3P110MB0538.NAMP110.PROD.OUTLOOK.COM>
References: <9FF54993-6265-49F5-9663-63A99DB7762B@akamai.com> <5bcc3911ebce4a78a26a98df1575210d@cert.org> <cf930a798fcd433c889a61ca16f0a3d0@cert.org>
In-Reply-To: <cf930a798fcd433c889a61ca16f0a3d0@cert.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=cert.org;
x-originating-ip: [128.237.16.29]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: ecd78136-e79a-46b3-01f5-08d943102a72
x-ms-traffictypediagnostic: DM3P110MB0508:
x-microsoft-antispam-prvs: <DM3P110MB05088C4350535CAA71372CB7DC189@DM3P110MB0508.NAMP110.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:6108;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: X54TdWI29HNs++/UAhmsk033xhMTBeP3iv1RU+JE46f0e+ZzR/WEARXx9cObFq43EVplLGY+kzHVfox4oM/cBvOtSV1n1bmQ2lphnnXS6GtHmF2fgcs+6lyLMnrPFkmzV0pndmc5OIM6AdDI8b1RKNWvR6TmaONX/ODYhtlGojaQXD398WwsJNEi1x2yC8zg4dCgqJJH8UKZr8EWZ66irvCgSoP8jQugE+bqCb+m6y17zERBpb4Qv3SDZ32mjpHw3ftMQca/q8QdR1Ivw9jM6cmQg1inV9G2RazQ+9AvJ12V6Ew+ci7ap/ULTiePhfFm+Fvvc+3n3dggHnqz3wAISn4ACj0MH0Hed+O2Nsq5mKGTT0dq5cUJkuJBO8x+Pmg6I8O9+AGiRt2ie1SgLAqnKso65Bep3byAV3ZxhxFUfpKFgdyiFyvu2CumubYs3c5heZA+e4qlKBuK1tLwxMsF3Kb+TLyVUsn7CWdVlrpkXPbDMxfdWQgZ/kpQIDzGgN0mk+1/+T8mSDKxjZ0RvOP3Sof+WuXiKth7klfZFkgyZEjdwl++bYEksDF7sXYZxaC26nCLl0WqnyiCsKnCrjDaJTVQZUpitU6sPUEnUokwdNqepTgAFBC26QPD6FAjrkgL
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM3P110MB0538.NAMP110.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(39850400004)(366004)(396003)(346002)(376002)(136003)(186003)(66946007)(83380400001)(122000001)(6916009)(76116006)(64756008)(86362001)(66476007)(66556008)(26005)(19627235002)(6506007)(53546011)(9686003)(8676002)(4326008)(33656002)(38100700002)(5660300002)(966005)(8936002)(7696005)(30864003)(52536014)(2906002)(66446008)(71200400001)(478600001)(55016002)(316002)(450100002)(21314003); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: zfVSpm6n5O4ktUnjj7YbWirL+EsSqrrktsV5hPs3Jr3MFvu7i07zfPsE0HQN6smsYicdFuJGbONoiXkn1RlbL47h7WhnKg7OiMfoSkY/r5j+tcq5vKEdIBmvF1SCw0veC0nqQdQtjEn3D4sUP6B7s7bIrVyiTNrnCSi4ZP98GEBn5+EAABYJN5xvenhXB/Oc6EdUTaZmWUEy4iOjDVleC0cd9C3mLJh7418uO9qEFeV8x9jvvC37ZyZBm2jsscKoTuGF/NSmB02An6i0OoV8sNEdgrJKkz1TKOsmMn2u7VyQSLALf3IPvH5Z14v2D1eLHj4e8wFsqrF/8d1VUCsPX+ZfdBZmut5ZH25+GjX5Ea7MOcn+ZLTe9+bXfZCmtPJU7vEX2z9LdldzsvnNmroAcXDGBMo/TC5yujvzA1Ux1m0hlIYGXNw3AiF2E2hVLE3J6Z3jivXIy/KLY5v1B6613mEPca0FemHD/ro8EE0ZrmKvK957KB40rfHeAcYJHzFmsyUwdDM56X1jfR8eobqz5MJlWe7I28j6O5no9it76/9GAwiP4Rq8UfgUJr/R0mlDY5WZM7UdeBsIBPz0hOE7SxgzsEG/DqzhyBN6mdoJsawTXBhHS40DMpqQZOWWNJo8IMbU/FyJhRL7qgFQyv2XP8vQNk3cEHgA+IKsSfwTprHC59lrgQXsP+6MWfRMcv9N+kAMlRU2/qbuV7MnMa28Xw==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: cert.org
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DM3P110MB0538.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: ecd78136-e79a-46b3-01f5-08d943102a72
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Jul 2021 19:31:35.9018 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 95a9dce2-04f2-4043-995d-1ec3861911c6
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM3P110MB0508
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/aYX5gdfwILJliU9v_UeCIkXexRY>
Subject: Re: [Acme] AD review of draft-ietf-acme-authority-token-05
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Jul 2021 19:31:49 -0000

Hi!

Checking in again on addressing the AD review feedback from October 2020 (~9 months ago).  

If we can't determine the disposition of this document on list, let's carve out agenda time on the IETF 111 to decide how to proceed -- coordinate with STIR on still needing it?  appoint additional authors?  drop the document?

Regards,
Roman

> -----Original Message-----
> From: Acme <acme-bounces@ietf.org> On Behalf Of Roman Danyliw
> Sent: Wednesday, May 12, 2021 10:41 AM
> To: acme@ietf.org
> Subject: Re: [Acme] AD review of draft-ietf-acme-authority-token-05
> 
> Hi!
> 
> I wanted to check-in with the WG on the next steps for draft-ietf-acme-
> authority-token.  I performed an AD review on it in October-2020 (~7 months)
> and haven't heard back.  Rich and I asked again in January 2021 and April 2021
> but got no response.  Is this document something the WG still wants to
> advance?
> 
> Regards,
> Roman
> 
> 
> > -----Original Message-----
> > From: Acme <acme-bounces@ietf.org> On Behalf Of Roman Danyliw
> > Sent: Thursday, April 15, 2021 4:01 PM
> > To: Salz, Rich <rsalz@akamai.com>; Chris Wendt
> > <chris-ietf@chriswendt.net>; Mary Barnes <mary.ietf.barnes@gmail.com>;
> > Peterson, Jon <jon.peterson@team.neustar>; davidhancock.ietf@gmail.com
> > Cc: acme@ietf.org
> > Subject: Re: [Acme] AD review of draft-ietf-acme-authority-token-05
> >
> > Hi!
> >
> > I'm checking in on status of this document.  I'd like to batch it with
> > draft-ietf- acme-authority-token-tnauthlist when they go to the IESG.
> >
> > Thanks,
> > Roman
> >
> > > -----Original Message-----
> > > From: Salz, Rich <rsalz@akamai.com>
> > > Sent: Wednesday, January 13, 2021 3:16 PM
> > > To: Roman Danyliw <rdd@cert.org>; Chris Wendt
> > > <chris-ietf@chriswendt.net>; Mary Barnes
> > > <mary.ietf.barnes@gmail.com>; Peterson, Jon
> > > <jon.peterson@team.neustar>; davidhancock.ietf@gmail.com
> > > Cc: acme@ietf.org
> > > Subject: Re: [Acme] AD review of draft-ietf-acme-authority-token-05
> > >
> > > Authors,
> > >
> > > Have these been addressed?  Soon?
> > >
> > > On 10/14/20, 1:00 PM, "Roman Danyliw" <rdd@cert.org> wrote:
> > >
> > >     Hi!
> > >
> > >     I performed an AD review of draft-ietf-acme-authority-token.
> > > Thanks for writing this document in an extensible way (for
> > > additional token types).  Below is my detailed feedback.
> > >
> > >     ** What is the intended status of this document? The document
> > > says Informational; the datatracker and the shepherd's report says
> > > Proposed Standard.  TnAuthlist is PS.  These four places need to be
> consistent.
> > >
> > >     ** Are there implementations of this document?  The rough
> > > history in ACME seems to have been PS should have implementation
> experience.
> > > Is the link to STIR decisive here (to make it PS)?
> > >
> > >     ** ID-Nits reported the following issues with references being
> > > listed but not
> > > used:
> > >       == Unused Reference: 'I-D.ietf-acme-service-provider' is defined on line
> > >          455, but no explicit reference was found in the text
> > >
> > >       == Unused Reference: 'I-D.ietf-acme-star' is defined on line 460, but no
> > >          explicit reference was found in the text
> > >
> > >       == Unused Reference: 'RFC7340' is defined on line 477, but no explicit
> > >          reference was found in the text
> > >
> > >       == Unused Reference: 'RFC8224' is defined on line 494, but no explicit
> > >          reference was found in the text
> > >
> > >       == Unused Reference: 'RFC8225' is defined on line 500, but no explicit
> > >          reference was found in the text
> > >
> > >     ** Additionally, on the topic of references, why are
> > > [I-D.ietf-acme-authority- token-tnauthlist] , [RFC7340] and
> > > [RFC8226]
> > normative?
> > >
> > >     -- Section 1. [I-D.ietf-acme-telephone] is an expired draft that
> > > doesn't appear to be actively advanced.  Given that it primarily to
> > > show an example use case, it should likely be an informative, not
> > > normative,
> > reference.
> > >
> > >     ** In the introductory materials (abstract and/or Section 1), I
> > > would have benefited from an upfront statement that this document is
> > > describing an architecture for Authority Tokens, a particular token
> > > format, a new protocol for retrieving the token, and integration of
> > > this token into an ACME challenge.  In particular the existence of
> > > the new protocol (between the TA and the client) was not clear.
> > >
> > >     ** The tkauth-type="atc" type doesn't seem to describe all of
> > > the required information described by Section 3.1 - 3.3 and Section
> > > 9 (Security
> > > Considerations) as being needed for a token format.  Specifically:
> > >
> > >     (a) Section 3.1.  Per "Definitions of a tkauth-type MUST specify
> > > how they manage the freshness of authority assignments", how is
> > > freshness of authority assignment handled in tkauth-type="atc"?
> > >
> > >     (b)  Section 3.2 suggests that tokens need to convey scope.
> > > This scope seems to be identifier specific conveyed through the tkvalue.
> > > However, the values of tkvalue is out of scope of this document.
> > >
> > >     (c) Section 3.3. suggests "To mitigate this, Authority Tokens
> > > contain a binding signed by an Authority".  Section 9 says "... all
> > > Authority Tokens MUST contain a field that identifies to the CA
> > > which ACME client requested the token from the authority; here that
> > > is the fingerprint specified in Section 4)."  However, Section
> > > 4 says, "For the purposes of the "atc" tkauth-type, the binding
> > > "fingerprint" is assumed to be a fingerprint of the ACME credential
> > > for the account used to request the certificate, but the
> > > specification of how the binding is generated is left to the
> > > identifier type profile for the Authority Token."  This seems to
> > > suggest that defining the binding
> > computation is out scope of this document.
> > >
> > >     For the binding, I'm curious on how is it computed (on what input?
> > > How are algorithms/keys selected) and when does this need to occur?
> > >
> > >     Minimally, it seems that properties (b) and (c) can only be
> > > satisfied with the combination of this document and a particular
> > > "identifier profile".  Perhaps this section is spelling out
> > > requirements for both of those collectively?  If so, this should be
> > > explicitly stated (perhaps in the intro to Section 3, reminded in
> > > Sections 4 and
> > 9).
> > >
> > >     ** Editorially, decide on where the text will use AT and TA;
> > > Authority Token and Token Authority; or token and authority.  It
> > > would be clear if it was the fewest possible version of this key terms.
> > >
> > >     ** Section 3.  Editorial.  The title "Challenges for an
> > > Authority Token" might be clearer if reworded given that ACME has
> > > "challenges" - perhaps s/Challenges for an Authority Token/ACME
> > > Authority Token Challenge/
> > >
> > >     ** Section 3.  The text notes that authority tokens can be used
> > > for ACME challenges, but this document doesn't add a new challenge
> > > type to the "ACME Validation Methods" registry.  Section 6 provides
> > > an example using token- tnauthlist which seems to suggest a
> > > type="tkauth-01", but that isn't specified in
> > > draft-ietf-acme-token-tnauthlist
> > or this document.
> > >
> > >     I also found it jarring to jump into the discussion of
> > > tkauth-type and token authority without a bit more context.  I
> > > recommend replacing the last paragraph as follows:
> > >
> > >     OLD
> > >     ACME challenges that support Authority Tokens ...
> > >
> > >     NEW
> > >
> > >     The ACME Authority Token Challenge, "tkauth-01", supports
> > > different token types.  The token type is determined by a new ACME
> > > challenge field, tkauth- type.  An IANA registry is used to manage
> > > the values of tkauth-type, see Section 8.*.  Additionally, this
> > > challenge also has a new "token-authority" field to designate a
> > > location where a token
> > can be acquired.
> > >
> > >     ** Section 3.1. Per "The IANA will maintain a registry of
> > > tkauth-types under a policy of Specification Required", move this
> > > text about registry policy to the IANA section
> > >
> > >     ** Section 3.1.  Per "... future specifications must indicate
> > > how a token conveys to the CA the name(s) ...", is there a reason
> > > this isn't a normative MUST?
> > >
> > >     ** Section 3.1.  Per "The protocols used to request an Authority
> > > Token MUST convey to the Token Authority the identifier type and
> > > value from the ACME challenge ...", the language of "from the ACEM
> > > challenge" suggests only a workflow where the token is requested
> > > after engagement with the ACME server.  However, Section 3.2
> > > suggests that a client might get the token before engaging the ACME
> > > server.  Maybe s/from the ACME challenge/from or what will be used
> > > in the ACME challenge/
> > >
> > >     ** Section 3.2.  Editorial. Somewhere earlier in the text state
> > > "Authority Token (AT)", as no text currently establishes this acronym.
> > >
> > >     ** Section 3.2.  Editorial. Consistently use "Authority Token",
> > > s/to a client a Token/to a client an Authority Token/
> > >
> > >     ** Section 3.2.  Per "an Authority Token could attest to all of
> > > the resources that the client is eligible to receive certificates
> > > for", couldn't this leaks information to a CA, if that single CA is
> > > not
> > responsible for all of the scopes?
> > >
> > >     ** Section 3.2. Editorial. Consistently use "Token Authority"
> > > instead of "Authority" to make it clear were aren't saying
> > > "Certificate
> > Authority"
> > >
> > >     ** Section 3.3.  Editorial. I found it confusing to use "binding"
> > > and both a noun and a verb:
> > >     -- "To mitigate this, Authority Tokens contain a binding signed
> > > by an Authority ..."
> > >     -- "Binding an Authority Token to a particular ACME account ..."
> > >
> > >     ** Section 4.  Editorial.
> > >
> > >     OLD
> > >     This draft registers a tkauth-type of "atc", for the Authority Token
> > >        Challenge.   Here the "atc" tkauth-type signifies a standard JWT token
> > >        [RFC7519] using a JWS-defined signature string [RFC7515]. This may
> > >        be used for any number of different identifier types given in ACME
> > >        challenges.  The "atc" element (defined below) lists the identifier
> > >        type used by tokens based on ATC .  The use of "atc" is restricted to
> > >        JWTs, if non-JWT tokens were desired for ACME challenges, a different
> > >        tkauth-type should be defined for them.
> > >
> > >     NEW
> > >     This draft specifies a tkauth-type of "atc" which is a standard
> > > JWT token [RFC7519] using a JWS-defined signature string [RFC7115].
> > > The "atc" tkauth- type MAY be used for any number of different ACME
> > > identifier types in the ACME challenge.  A new JWT claim, "atc", is
> > > defined below and lists the identifier type used in this Authority
> > > Token.  The "atc" tkauth-type is restricted to the JWTs; if a
> > > non-JWT token format is desired for the ACME Authority Token
> > > Challenge, a different tkauth-type should be specified and registered in the
> "xxx"
> > > registry defined in Section 8.*
> > >
> > >     ** Section 4.  Editorial. ATC is used but never explicitly
> > > defined as being "Authority Token Challenge (ATC)".
> > >
> > >     ** Section 4.  What would be the circumstance where the x5u/iss
> > > would not equal the token-authority?
> > >
> > >     ** Section 4.  Why is "The JWT payload must also contain a ...",
> > > not a normative MUST?
> > >
> > >     ** Section 4.  Should the values of tktype be constrained to the
> > > IANA "ACME Identifier Types" registry?
> > >
> > >     ** Section 4.  This text should explicitly say that "tkvalue"
> > > semantics are outside the scope of this document.
> > >
> > >     ** Section 4. s/"atc" element/"atc" claim/
> > >
> > >     ** Section 4.  The example in this section is missing the full
> > > payload/protected /signature structure to show the actual binding
> > > provided by the server
> > >
> > >     ** Section 5.  This token acquisition protocol seems underspecified:
> > >     -- How does the client authenticate/do authorization with the
> > > HTTPS
> > server?
> > >
> > >     -- Is there any semantics to the resource locator to make for an
> > > interoperable/discoverable URI?
> > >
> > >     -- Does the client get to request a scope?
> > >
> > >     ** Section 5. Editorial. s/a Authority Token/an Authority Token/
> > >
> > >     ** Section 5.1.  It might be useful to show a full server
> > > response example given a particular client request
> > >
> > >     ** Section 5.1
> > >     After an HTTPS-level challenge to verify the identity of the client
> > >        and subsequently making an authorization decision , in the success
> > >        case the Token Authority returns a 200 OK with a body of type
> > >        "application/json"  containing the Authority Token.
> > >
> > >     -- What is an "HTTPS-level challenge"?
> > >
> > >     -- It seems like a few words are missing describing the server's
> > > behavior to describe what happens between client sending the JSON
> > > "atc" blob and returning an authority token?  Should there be text
> > > about signing? The server validating the scope in a some identifier
> > > specific
> > way?
> > >
> > >     -- How is error handling managed with the HTTP error code?  The
> > > TnAuthlist draft actually specifies this behavior more that this
> > > base
> > document.
> > >
> > >     -- Section 5.  Shouldn't a successful response from a Token
> > > Authority return a body of type "application/jwt" if an "authority
> > > token" is being returned per Section 4?
> > >
> > >     ** Section 6.  This section seems underspecified with only the
> > > use of an example.  It provides no normative text on using the
> > > authority token in the ACME challenge.  For example, what type
> > > should be used (tkauth-01)?  What is the cardinality of tk-auth-type, token-
> authority, token?
> > >
> > >     ** Section 8.  This text registers "atc" as an ACME identifier.
> > > When and how is that used?  I thought that identifier profiles
> > > specified an identifier and that the atc what the challenge/verification type.
> > >
> > >     ** Section 8.  Is there a reason that the "atc" claim from
> > > Section
> > > 4 not being registered in the "JSON Web Token Claims" registry?
> > >
> > >     ** Section 8.  Per the registry of "token types", there don't
> > > seem to be enough details here:
> > >     -- Is the intent for the registry to be called (in lower case) "token types".
> > > Shouldn't it be something like "ACME Authority Token Challenge Types"?
> > >
> > >     -- What columns are in that registry?  Please be explicit, if it
> > > is Label and Reference.
> > >
> > >     Regards,
> > >     Roman
> > >
> > >     _______________________________________________
> > >     Acme mailing list
> > >     Acme@ietf.org
> > >     https://urldefense.proofpoint.com/v2/url?u=https-
> > >
> >
> 3A__www.ietf.org_mailman_listinfo_acme&d=DwICAg&c=96ZbZZcaMF4w0F4j
> > > pN6LZg&r=4LM0GbR0h9Fvx86FtsKI-w&m=KKMUAt5wm8Vy2_-
> > > YnBnWkWr_4yD6G9lTMhYZiFQ2J_s&s=K5vl0NrG5LqkL6Qzy-
> > > 8cyQCG1RMqIQwrvCf0jPOBA7w&e=
> >
> > _______________________________________________
> > Acme mailing list
> > Acme@ietf.org
> > https://www.ietf.org/mailman/listinfo/acme
> _______________________________________________
> Acme mailing list
> Acme@ietf.org
> https://www.ietf.org/mailman/listinfo/acme

v2.23.0 | Report a Bug | By Email