IETF Logo Mail Archive

Re: [Acme] Benjamin Kaduk's Discuss on draft-ietf-acme-star-delegation-07: (with DISCUSS and COMMENT)

Thomas Fossati <Thomas.Fossati@arm.com> Fri, 11 June 2021 08:54 UTC

Return-Path: <Thomas.Fossati@arm.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 35FA93A2F7C; Fri, 11 Jun 2021 01:54:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=6cWMkmox; dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=6cWMkmox
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JQ5AJW-yhr51; Fri, 11 Jun 2021 01:54:32 -0700 (PDT)
Received: from EUR05-AM6-obe.outbound.protection.outlook.com (mail-am6eur05on2046.outbound.protection.outlook.com [40.107.22.46]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4D1453A2F7A; Fri, 11 Jun 2021 01:54:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=seOlagNPMKcp+qTTM7MxvmByjD596UlXkCx709HMCGg=; b=6cWMkmoxinPprXjClKQhpU9xe8tUNyZ2lDIqbHsdzoS4H/5L8+fW9TMxN41B7BYHIxpQ+nOMCDkXOnT/HKhoDxN1FvJFcn1BqxDUmvyRDZEBc6UnYHc8WR2wQl0Rdhb1OG8R8XNSLnmbgOMGJ5ysKIx/OZ0PvV4VsyrNrCfegyM=
Received: from AM6PR08CA0035.eurprd08.prod.outlook.com (2603:10a6:20b:c0::23) by AM6PR08MB5126.eurprd08.prod.outlook.com (2603:10a6:20b:ef::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4219.20; Fri, 11 Jun 2021 08:54:29 +0000
Received: from AM5EUR03FT032.eop-EUR03.prod.protection.outlook.com (2603:10a6:20b:c0:cafe::42) by AM6PR08CA0035.outlook.office365.com (2603:10a6:20b:c0::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4219.20 via Frontend Transport; Fri, 11 Jun 2021 08:54:29 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; ietf.org; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;ietf.org; dmarc=pass action=none header.from=arm.com;
Received-SPF: Pass (protection.outlook.com: domain of arm.com designates 63.35.35.123 as permitted sender) receiver=protection.outlook.com; client-ip=63.35.35.123; helo=64aa7808-outbound-1.mta.getcheckrecipient.com;
Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by AM5EUR03FT032.mail.protection.outlook.com (10.152.16.84) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4219.21 via Frontend Transport; Fri, 11 Jun 2021 08:54:27 +0000
Received: ("Tessian outbound bf434e582664:v93"); Fri, 11 Jun 2021 08:54:26 +0000
X-CheckRecipientChecked: true
X-CR-MTA-CID: 66910d855010e790
X-CR-MTA-TID: 64aa7808
Received: from 303cb7f69654.1 by 64aa7808-outbound-1.mta.getcheckrecipient.com id 205F0BA5-AB61-42C5-B6AA-4FD82392EB20.1; Fri, 11 Jun 2021 08:54:19 +0000
Received: from EUR04-VI1-obe.outbound.protection.outlook.com by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id 303cb7f69654.1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Fri, 11 Jun 2021 08:54:19 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=fJvaGnk9o8KvR3xXfiDjIZihRowu42IzpdhXSA6vZSC1kzZCvec0V7JM22NT2WX0iA97tV2UhEFD0KbaVhcZd1zhV9RziU8ZK5QxF55jWhQ2zXVM745xSRmfAhM4XO2x3QhZC/wWAk+DA6SR8ihIOmUtFcBgjFwh+dr9W9UwAaA95eCx2bSpq2q+vq5tmMW+EVldJ+yzut+62u0Uy/pnrrDhqHCEScSjXWncEExrPjoNfDQF0clAY+vCnQN94X9/8nofiYFrEYLkkIRGNWI5uRmhQnoyLgGPPI+LGBi9N3EcAFUTg5491x53grcqAsJFzfDYtaLJaO9t3FZq6s9bzw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=seOlagNPMKcp+qTTM7MxvmByjD596UlXkCx709HMCGg=; b=DcUWNDydTWuriXKoXdFdF2l4WZsP6QOLRrkTvBMbQeUdHdYdu3mp9rNMnb1uvqYndNb/fGmGzLC8VS0IPrWVF5XWBXytprR+GlJxbfwf2HmSOeUjxt5m5pxzZyyJ+N8jiyTrR1hNoqLvRcLvVU9SS85mOIVjn/oeCd4XGeEWlxe1+Z6ly+1JHvin7uINQOLshu/V35QFe+KdjGNJJ9BXTGQOZyugfx0tFdTU6CoDyWk1iKGE2H7qlnBxy5yeuyldk5jXrZvZUXt9KHfN1lS+Ak2SiZSk2umSMz46t7/HHE6HUbc2V/sG2n3rTzH6Ugi4Rs5jSmG3B2Gnb9fAWC/HGQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=seOlagNPMKcp+qTTM7MxvmByjD596UlXkCx709HMCGg=; b=6cWMkmoxinPprXjClKQhpU9xe8tUNyZ2lDIqbHsdzoS4H/5L8+fW9TMxN41B7BYHIxpQ+nOMCDkXOnT/HKhoDxN1FvJFcn1BqxDUmvyRDZEBc6UnYHc8WR2wQl0Rdhb1OG8R8XNSLnmbgOMGJ5ysKIx/OZ0PvV4VsyrNrCfegyM=
Received: from DB9PR08MB6524.eurprd08.prod.outlook.com (2603:10a6:10:251::8) by DB8PR08MB5274.eurprd08.prod.outlook.com (2603:10a6:10:e6::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4195.20; Fri, 11 Jun 2021 08:54:17 +0000
Received: from DB9PR08MB6524.eurprd08.prod.outlook.com ([fe80::85d4:9a58:ebac:f9f8]) by DB9PR08MB6524.eurprd08.prod.outlook.com ([fe80::85d4:9a58:ebac:f9f8%9]) with mapi id 15.20.4219.020; Fri, 11 Jun 2021 08:54:17 +0000
From: Thomas Fossati <Thomas.Fossati@arm.com>
To: Benjamin Kaduk <kaduk@mit.edu>, Yaron Sheffer <yaronf.ietf@gmail.com>
CC: The IESG <iesg@ietf.org>, "draft-ietf-acme-star-delegation@ietf.org" <draft-ietf-acme-star-delegation@ietf.org>, "acme-chairs@ietf.org" <acme-chairs@ietf.org>, "acme@ietf.org" <acme@ietf.org>, "ynir.ietf@gmail.com" <ynir.ietf@gmail.com>, "rsalz@akamai.com" <rsalz@akamai.com>, Thomas Fossati <Thomas.Fossati@arm.com>
Thread-Topic: Benjamin Kaduk's Discuss on draft-ietf-acme-star-delegation-07: (with DISCUSS and COMMENT)
Thread-Index: AQHXLDI6dX/Eo5qr90S2ooaF2uEZFardRoeAgC9nLQCAAkliAA==
Date: Fri, 11 Jun 2021 08:54:17 +0000
Message-ID: <4FF8AAB5-4718-4D91-A8BC-F1D8F5D2F8AC@arm.com>
References: <161785721553.2892.15997097506064189797@ietfa.amsl.com> <79202B74-A6EB-4B5C-89FF-AF6D59BE236A@arm.com> <20210609225906.GS32395@kduck.mit.edu>
In-Reply-To: <20210609225906.GS32395@kduck.mit.edu>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.49.21050901
Authentication-Results-Original: mit.edu; dkim=none (message not signed) header.d=none;mit.edu; dmarc=none action=none header.from=arm.com;
x-originating-ip: [82.12.10.179]
x-ms-publictraffictype: Email
X-MS-Office365-Filtering-Correlation-Id: a1a26495-634d-45a7-9fbc-08d92cb684c7
x-ms-traffictypediagnostic: DB8PR08MB5274:|AM6PR08MB5126:
x-ms-exchange-transport-forked: True
X-Microsoft-Antispam-PRVS: <AM6PR08MB512630FCFE5E0549D1EAF06C9C349@AM6PR08MB5126.eurprd08.prod.outlook.com>
x-checkrecipientrouted: true
nodisclaimer: true
x-ms-oob-tlc-oobclassifiers: OLM:10000;OLM:10000;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: CANmq3Zvz+MVpLMhepavIGc3l+yS+PuXc37IH8ZPrUtVCk5NeEP+TqoOc2BYghwGZdtr88gpOM1SzzcfnsnxtWmLBa0wxWBUsAhm1CzV+j9cujDVFaZXbqR7cyTI9mNJYMqhUVRJ9kaL1dlkSHbIxgSd2bcgTcVMtqoukxytwBnqBk6lDZZXFKy+q28xSdOSX10OsycT3fVtFDIu444mLQAxj66UcQaLSQDzh0+4OyJw7anMsIRFAsEVsi5z7E1BnLJa4gzjjG8LLgGIj2xBJ17OTdS/hIAd3zivjKzpFktTq2nWuxPQsYRwDGJpWKUohHl8QxqiYt6mpmjwQJJ8dzfuY2SHtxG91bcPxEz1WIKNaKmVbDZFiDTlq+t3WZ1YI2N/Diag15BviZ0ehPfmp6ZGjV8qNQwt7kJJuDdyhlNz9kes1tnznH7pvq32g6MxeQuQAEs+qGut0zcGlOIOTRQK7d75xgJ9tywLSSwJl+HznsU5QbooVNy8fzOrHnwUuY87eRpK5SP9EZ4HS4UHzF4a7n9rfjHOoG4YquXCUw7bJ1tutoBHA1oKq44C/VBqGZayfSl9kc2Qyuf0qAODk2T0pnfbWSjmRNX9UcM5i+6+POSwWOO9V/1ftoT2+w4bf/g/pbPxlzfF+qCyCgISBWk8gqkV89ShlG22YFOmQ8E=
X-Forefront-Antispam-Report-Untrusted: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DB9PR08MB6524.eurprd08.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(346002)(39850400004)(136003)(366004)(396003)(376002)(71200400001)(66556008)(66946007)(5660300002)(8676002)(66476007)(38100700002)(8936002)(64756008)(83380400001)(66446008)(6512007)(54906003)(6506007)(76116006)(91956017)(122000001)(2906002)(26005)(6486002)(36756003)(186003)(33656002)(2616005)(53546011)(478600001)(4326008)(110136005)(86362001)(316002)(45980500001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: I0ZNLg7SJvXW9yABRpym0kL0IP+GpKQ+Qo3E/MordnpOMGWu3kVHlEqm1h65ccq+XFXaU25YEy+WWk4teJsj58zm3GbT+MluWh/Oib41KwFgfTcShH2FNxQqsnv5X3D5B+wrqpQy/74Pj1VYvvbMzx28FTTHWf/J3SnDOl7HPkPHlXrZKa7Oem9SalIrU9XCKdxtDhnrhILkSaVhpkj1YGpghx1oGuNTlgfEfIZ5BmvIHUzxRKOqxcWDdnbLQq+3Jj608cN+fe5MPWBwvlZ7QZ2Ej9KFNJvOgeSRtfj7tIxSkR3v7Xq4/mmHLuWhIcj1T2+uVCULey7NiEZuoumKAHExbousd8lShQPb/NhV3I2sVewxP0Wc1KV93QTZk2mbfPh2jQZ6jwfIN+0H16zGR0TshTcDRhEksCuzYleaeU4VAvv+Qw2R9oWUIPJrBuIUhaImL0it75+OCIdSOZk9+oW5UrHCtiB+2J7g4TTfpyeYuinkXyD6fmuKUXyS6/Y8FPrfsJaMtZ7LJnfj0SYo0wXyVt2mwYpSNfRc4JO3rQaAHP6gBQb4bgU+RCxL9h96EwGS67Uibj0ZBCti/q/eYd+UF69EqK6Ph9l2/feA0yMzhL9lBbfb4XSmTHPlfG6O2G9Gc1Wv5KA2UzqFVph6z0kuUvVNUuJxkDjmM4uz/DkaqUojLbHpaNWhchXduBD3/cvKnbttWJSehxEWtdysfrVSe9CKOSANMmW4EJNLPdMJq+AWzVNo5R1o3mU/jToOy2rHQC2dT04L8kZFuJxU+jBQYcmOBejjVSs2FBbABPNqCk7iYzd0BXZ/elTbI1+0SqIeglwClSzqX0quY5JWG02njuOjatE6cVyxIOVFsg1vNockFzsAvkWbHGduDMjrzUUjJ4WYT+xTCn9ZLvcZBIj9vDUUuzdvXtqlZPqh2dEJMZzS1K60kbx9DFZJi4QgHimqr5hBZqFeOnTZlzaj4W9o/kMqm/D88SqIVKHUGUOgy2gbrYy615DFDGtKF6P5wq0HRi5lOLE3t7ZXydV7wxBRpgBKpffdanVdLDBZijSFfvS5w065NPFZLXaeiTITPiqFwVSLjh0QRiLDjhx60auCYyW/Bx7V0Lum8Grlun7LIYkHDgm0TCutAi7mTHErk5UvmHpoMVCAU5rawKa5PBWPfAHpDtMIZyXZbxFM5g8KHKHpWw6o+zP24mxT3YQqHNY95grgQGQNLrkz/mZI9JSn7dxEla+WfTOv/HqV+Wy2aSUnLuvUOMtC51MeZ/Y3Zv52WbX5WqsW+pt2eEsIyJxtDfU1esPogH7w8RVeA/5cp9YHE/8mJRh/je4pCYuC
Content-Type: text/plain; charset="utf-8"
Content-ID: <CA0A3506F67F184EB0DD831069EF06B6@eurprd08.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB8PR08MB5274
Original-Authentication-Results: mit.edu; dkim=none (message not signed) header.d=none;mit.edu; dmarc=none action=none header.from=arm.com;
X-EOPAttributedMessage: 0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: AM5EUR03FT032.eop-EUR03.prod.protection.outlook.com
X-MS-Office365-Filtering-Correlation-Id-Prvs: 4b1dcbe1-bb21-4e02-73d9-08d92cb67ee5
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: v4AI5gBg5dDygNZBstRY3b8AwB88eyioxwGV2zEN+adpdfbao6ty+t1NAjpQZJbmL550vUUZ1mqoC8G7Rk4kX78CzHJhj51Cd9TXP5hlOXYWUO3mV6o2r9YbyNuP4Hjb01eR8jaqWxJiij+5LwGSUYq9SAVGGGPCbzmFWI4wuAPtsRZTW6+GZ6/nfqXgkMiW3b0wQ7Ib3x1k2xmUshT8zD6z+hidz90w9Qm44q/IJJRCF8WfkA2kiRvuv/OmnG5fnl5/mFhWl33DoDPuWy4pKe9U9b5+edxAQLeWPmJdr85upeUgJ1bYzm+qEVz4Ke+8yKZs8l+WVb10co+3l5Qq1SFeTRU1XxtiXbaAcuwJOp7W8+a5BINX5GR8JkD8CENMHPB8M0CUINDUGzXuzskHAWAqyhiCVXrhDLi5MVqtfaHvY86KmquPy0juMgowWez82eX9xZ0gU9bPiV6yQlPOfq6ZO2oayijd3ERvmAivAdH3aMcMkJiJOCB8VD+Kpu/yBW+kkXPZZilroMsZRsjnu8cLzcI8O1kqinf3k2QcIr3Vl17+Wb4/ZL3kBJVSrM6AyREN5QJ1FlCpU5K1sJKjtQmo8S3jiqOppsZnibxhgx0ZIYTBnbHBz/qOaPKSZlVNy8JPuRPvxBBRvMbCCPmZWXs+b2sPZkKmxjN7iEzZJj4=
X-Forefront-Antispam-Report: CIP:63.35.35.123; CTRY:IE; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:64aa7808-outbound-1.mta.getcheckrecipient.com; PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com; CAT:NONE; SFS:(4636009)(136003)(346002)(396003)(39850400004)(376002)(36840700001)(46966006)(53546011)(8936002)(6506007)(82310400003)(478600001)(2906002)(81166007)(82740400003)(70586007)(2616005)(83380400001)(8676002)(47076005)(6486002)(5660300002)(336012)(70206006)(4326008)(6512007)(36860700001)(316002)(86362001)(186003)(356005)(33656002)(110136005)(450100002)(26005)(54906003)(36756003); DIR:OUT; SFP:1101;
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 11 Jun 2021 08:54:27.1621 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: a1a26495-634d-45a7-9fbc-08d92cb684c7
X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d; Ip=[63.35.35.123]; Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com]
X-MS-Exchange-CrossTenant-AuthSource: AM5EUR03FT032.eop-EUR03.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM6PR08MB5126
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/agQcoGD3LE1bWi0ZxD_xPQlQIJM>
Subject: Re: [Acme] Benjamin Kaduk's Discuss on draft-ietf-acme-star-delegation-07: (with DISCUSS and COMMENT)
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Jun 2021 08:54:38 -0000

Hi Ben,

Thank you again for your comments; Yaron has just pushed -09 which
should address most of them -- see below for the detail.

(I am merging this together with your Ballot email to have all the
discussion in one place.)

On 10/06/2021, 08:00, "Benjamin Kaduk" <kaduk@mit.edu> wrote:
> I think we are in agreement on the behavior of B in the respective
> cases, and thank you for writing them out clearly to anchor the
> discussion.  I suspect that I'm just bothered by the word "decide" --
> to me it implies a choice among several possibilities, but most of the
> time there is only one possibility that will actually work, and thus
> not a real choice.  (What with failure not being an option, and all ;)
> If we instead used language along the lines of "might behave" for each
> case, I don't think it would seem problematic to me.

We changed "decide" to "might behave" as you suggest.

On 09/06/2021, 23:59, "Benjamin Kaduk via Datatracker" <noreply@ietf.org> wrote:
> Section 2.3.1.3
>
>    In order to indicate which specific delegation applies to the
>    requested certificate a new "delegation" attribute is added to the
>    Order object on the NDC-IdO side (see Figure 4).  The value of this
>
> We might want to get the phrase "request object" in here somehow, since
> we go on to talk about returning an error response, which is of course
> only possible if there is a corresponding request.  (The next section
> does talk about the "request object created by the NDC").

Done.

> Section 2.3.2
>
>    If the delegation is for a STAR certificate, the request object
>    created by the NDC:
>    [...]
>    *  MUST have entries in the "identifiers" field for each delegated
>       name present in the configuration;
>
> Just to confirm: this is saying that the request/order must request a
> certificate for all names covered by the delegation; it cannot request
> only a subset of the names in the particular delegation object?  On
> first read this seems a bit restrictive, but I suppose it can make
> state handling at the IdO easier since the information from the
> delegation object can be used to construct the request to the actual
> CA.  (Similarly for the non-STAR case in §2.3.3, of course.)

Yes.

> The example delegation URL in Figure 4 doesn't match the URL structure
> used for the example delegation list in Section 2.3.1.2.  (This is not
> inherently problematic, but could cause a small amount of reader
> confusion.)  The same identifier occurs in several subsequent figures,
> as well.

Done - with a cameo :-)

> Section 3
>
>    Although most of this document, and in particular Section 2 is
>    focused on the protocol between the NDC and to IdO, the protocol does
>    affect the ACME server running in the CA.  A CA that wishes to
>    support certificate delegation MUST also support unauthenticated
>
> Is it correct to say "non-STAR certificate delegation" here?  (The
> corresponding change needed to support STAR delegation would have been
> done already to support non-delegated STAR issuance, if I understand
> correctly.)

I don't think the observation is correct: STAR issuance does not require
the server to support unauthenticated GET.  It is a feature that the
client needs to request explicitly, and the server could refuse if it
does not implement it -- or for any other reason.  (See Section 3.4 of
RFC8739.)

Or have I misinterpreted your thought?

> Section 7.2
>
>    The ACME account [...]
>
> Please double-check and confirm that the singular 'policy' and
> '"delegation" object" are as intended here.  IIRC we do allow multiple
> delegation objects to be associated with a single account.

Done, thanks for spotting this!

cheers, t





IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

v2.23.0 | Report a Bug | By Email