IETF Logo Mail Archive

Re: [Acme] AD Review: draft-ietf-acme-caa-05

"Salz, Rich" <rsalz@akamai.com> Sat, 22 December 2018 19:14 UTC

Return-Path: <rsalz@akamai.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A0E07129C6A for <acme@ietfa.amsl.com>; Sat, 22 Dec 2018 11:14:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.764
X-Spam-Level:
X-Spam-Status: No, score=-2.764 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.065, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xCOwRKhRohR7 for <acme@ietfa.amsl.com>; Sat, 22 Dec 2018 11:14:18 -0800 (PST)
Received: from mx0a-00190b01.pphosted.com (mx0a-00190b01.pphosted.com [IPv6:2620:100:9001:583::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EB5F3123FFD for <acme@ietf.org>; Sat, 22 Dec 2018 11:14:18 -0800 (PST)
Received: from pps.filterd (m0050093.ppops.net [127.0.0.1]) by m0050093.ppops.net-00190b01. (8.16.0.27/8.16.0.27) with SMTP id wBMJCSwv001126; Sat, 22 Dec 2018 19:14:13 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=jan2016.eng; bh=26zB30Ec4IWKxj9YKnkO3/48wB5Q2E82fEPHUr9bf6w=; b=I0u5+TtAuFSniydBjyIalhaRQcGHZVG2k87tltTugukcaRyN4aVze9NgtnWdGAdSlSSs 6SrMVRrBfRDGdTEwN9IGGQ50pixBb1x/3lSD6pdtiPDYuV9PTyc6xQbxnhSy1PIwZLFz OUcEVGOV2JwGUejmkhFdPKKW2yrz81TbJl0PngJpEUd/MnQ+D3bo/Zl2j3MEs2+0xEsL LGXcETQHjxQsbq9n/vkIdIcq4WUb1JZSsjUlC1cWcY3HyFrYLOvnmGowD8/VQmWeGsbX 1pNrd5kc2Nd2jZC56aW+lq44kEKxvuX+FU1oBK+O+6y5AOMzz5HsfHNdO1EfLgEaQIoA 9Q==
Received: from prod-mail-ppoint4 (a96-6-114-87.deploy.static.akamaitechnologies.com [96.6.114.87] (may be forged)) by m0050093.ppops.net-00190b01. with ESMTP id 2phddt27rf-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sat, 22 Dec 2018 19:14:13 +0000
Received: from pps.filterd (prod-mail-ppoint4.akamai.com [127.0.0.1]) by prod-mail-ppoint4.akamai.com (8.16.0.21/8.16.0.21) with SMTP id wBMJ2IVr020559; Sat, 22 Dec 2018 14:14:12 -0500
Received: from email.msg.corp.akamai.com ([172.27.27.25]) by prod-mail-ppoint4.akamai.com with ESMTP id 2phhgghy3d-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Sat, 22 Dec 2018 14:14:12 -0500
Received: from USTX2EX-DAG1MB1.msg.corp.akamai.com (172.27.27.101) by ustx2ex-dag1mb3.msg.corp.akamai.com (172.27.27.103) with Microsoft SMTP Server (TLS) id 15.0.1365.1; Sat, 22 Dec 2018 13:14:11 -0600
Received: from USTX2EX-DAG1MB1.msg.corp.akamai.com ([172.27.6.131]) by ustx2ex-dag1mb1.msg.corp.akamai.com ([172.27.6.131]) with mapi id 15.00.1365.000; Sat, 22 Dec 2018 13:14:11 -0600
From: "Salz, Rich" <rsalz@akamai.com>
To: Eric Rescorla <ekr@rtfm.com>, Hugo Landau <hlandau@devever.net>
CC: IETF ACME <acme@ietf.org>
Thread-Topic: [Acme] AD Review: draft-ietf-acme-caa-05
Thread-Index: AQHUi3jLfP8Y/vLkOUqA08X1v1zwkqWJ4XcAgAGS2wCAABAKgP//yn4A
Date: Sat, 22 Dec 2018 19:14:10 +0000
Message-ID: <19FFB15F-3B01-49C7-A9BE-863BE159A40A@akamai.com>
References: <CABcZeBMoHaDGEgQXmM2qdGi=i0mXxPsuKdiq3jtAKTojVOAG_A@mail.gmail.com> <20181204022641.GA29286@axminster> <CABcZeBOBSWysCEJXJ+rD6mG4=QgMyuo77giNm5NuWJKrxZMK1Q@mail.gmail.com> <20181222162816.GA23425@axminster> <CABcZeBOPs2AFMo8RYgoSP7zHOtNcoV0681e_r8yhTPdxgYhTCg@mail.gmail.com>
In-Reply-To: <CABcZeBOPs2AFMo8RYgoSP7zHOtNcoV0681e_r8yhTPdxgYhTCg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.14.0.181208
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [172.19.40.92]
Content-Type: multipart/alternative; boundary="_000_19FFB15F3B0149C7A9BE863BE159A40Aakamaicom_"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2018-12-22_12:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1812220171
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2018-12-22_12:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1812220173
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/aln7Je4oB4giOrgumQLtSzYv8uU>
Subject: Re: [Acme] AD Review: draft-ietf-acme-caa-05
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 22 Dec 2018 19:14:22 -0000

Would like to see proposed wording, but the concept seems fine.

From: Eric Rescorla <ekr@rtfm.com>
Date: Saturday, December 22, 2018 at 12:26 PM
To: Hugo Landau <hlandau@devever.net>
Cc: "acme@ietf.org" <acme@ietf.org>
Subject: Re: [Acme] AD Review: draft-ietf-acme-caa-05

This SGTM. ACME editors?

-Ekr


On Sat, Dec 22, 2018 at 8:28 AM Hugo Landau <hlandau@devever.net<mailto:hlandau@devever.net>> wrote:
> I'm open to alternative methods of preventing conflicts. A prefix could
> > be reserved for CA-specific use, e.g. "nonacme-".
> >
>
> That would be fine.

Amended to:

  Where a CA supports both the "validationmethods" parameter and one or
  more non-ACME challenge methods, it MUST assign identifiers to those
  methods. If appropriate non-ACME identifiers are not present in the
  ACME Validation Methods IANA registry, the CA MUST use identifiers
  beginning with the string "nonacme-". Such identifiers have
  CA-specific meaning.

Attention should be drawn to the following text in the ACME I-D:

  When evaluating a request for an assignment in this registry, the designated
  expert should ensure that the method being registered has a clear,
  interoperable definition and does not overlap with existing validation methods.
  That is, it should not be possible for a client and server to follow the
  same set of actions to fulfill two different validation methods.

  Validation methods do not have to be compatible with ACME in order to be
  registered.  For example, a CA might wish to register a validation method in
  order to support its use with the ACME extensions to CAA
  {{?I-D.ietf-acme-caa}}.

Since this is a prefix and not an entry per se, it seems like the
cleanest way to accommodate this is to amend the ACME I-D, rather than
use of "IANA Considerations" section, which is currently nil. The ACME
I-D is already referencing ACME-CAA above. But I'm open to suggestions.

v2.23.0 | Report a Bug | By Email