Re: [Acme] Adam Roach's Yes on draft-ietf-acme-star-09: (with COMMENT)

Thomas Fossati <Thomas.Fossati@arm.com> Wed, 02 October 2019 05:32 UTC

Return-Path: <Thomas.Fossati@arm.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 80D67120801; Tue, 1 Oct 2019 22:32:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=2MTISr2T; dkim=fail (1024-bit key) reason="fail (body has been altered)" header.d=armh.onmicrosoft.com header.b=s6EC/13P
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l1IXGL4GPej7; Tue, 1 Oct 2019 22:32:29 -0700 (PDT)
Received: from EUR01-VE1-obe.outbound.protection.outlook.com (mail-eopbgr140051.outbound.protection.outlook.com [40.107.14.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ED0DD120041; Tue, 1 Oct 2019 22:32:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=HlVOq9+zF8kekyoWYeMLKleZLwa4QQIcaUVV0+FI6rs=; b=2MTISr2TQi1+QtBQqDZ7E4Fdqb50y+WQ+YauMWd7dzJorj0u2FVDUKD+z97qXcIGOLEw5TEDB+4wy8GqTVDW/VKBdR5kTOKnpSdOUL8K0DztERIj3HN9K2CW7sMW/RsvNTN9uTlrldMJ/9Pq/ppjYNTxpKSpU/n9ZsN/s+XqkxE=
Received: from VI1PR08CA0241.eurprd08.prod.outlook.com (2603:10a6:803:dc::14) by AM0PR08MB3506.eurprd08.prod.outlook.com (2603:10a6:208:db::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2305.20; Wed, 2 Oct 2019 05:32:20 +0000
Received: from VE1EUR03FT031.eop-EUR03.prod.protection.outlook.com (2a01:111:f400:7e09::203) by VI1PR08CA0241.outlook.office365.com (2603:10a6:803:dc::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.2305.17 via Frontend Transport; Wed, 2 Oct 2019 05:32:20 +0000
Authentication-Results: spf=temperror (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; ietf.org; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;ietf.org; dmarc=none action=none header.from=arm.com;
Received-SPF: TempError (protection.outlook.com: error in processing during lookup of arm.com: DNS Timeout)
Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by VE1EUR03FT031.mail.protection.outlook.com (10.152.18.69) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.2305.15 via Frontend Transport; Wed, 2 Oct 2019 05:32:18 +0000
Received: ("Tessian outbound 927f2cdd66cc:v33"); Wed, 02 Oct 2019 05:32:16 +0000
X-CheckRecipientChecked: true
X-CR-MTA-CID: c6db6a13263c26a0
X-CR-MTA-TID: 64aa7808
Received: from 194ae341ad5a.2 (ip-172-16-0-2.eu-west-1.compute.internal [104.47.1.56]) by 64aa7808-outbound-1.mta.getcheckrecipient.com id 3FABCC87-060B-4919-A0AF-F453F8167B3D.1; Wed, 02 Oct 2019 05:32:11 +0000
Received: from EUR01-VE1-obe.outbound.protection.outlook.com (mail-ve1eur01lp2056.outbound.protection.outlook.com [104.47.1.56]) by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id 194ae341ad5a.2 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Wed, 02 Oct 2019 05:32:11 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=VFlmXJoUnF6031qGhwkCwyBEgaK+uU3nUnvwYrVItUuYLFV/QOtjn9VRK+RJGCK9Mgk6d54Ks/Ym3FZ0pCA/dW8SW/6nfpLZPoAZ8En/SIIncArvAm381fXJqL1aqV0nZ+KUsFzDq1WnY3jQ7U1nvhkZ+J/79RpeviZxLy/mzwaXxfft6zRk5JLNi/eIGhiGSbKJjn+ATZRw6HqzIl9BbpgQoiGZrouG1TLyr+XJ6r/uIix7c3AbCYxjO/WhMGo8RMZa/fxMckdWFuS56JfdnWKna71bZlnYvNaYxago67lWM1GwFJ9ZtCAKkvsVKiUTDIIl1rlRbVsqOe6Pni+qEA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=5Iiz/dt7U6oYPpLr4yhUtk1U6tV+7e56T5fGNiNYhls=; b=Exvhw/0x4D7Skhy0TcfjO9S94pf74PJx/FCqXCewv8ucvRtDs5d8vJOoL6U6H5x4ZfCijGDcOp7LjbUQuTBkgD/xhxOouz4V8bWE7Xci8Y6RRLfkkuAvjNBPylQqeZfdtDXwGKbhvKGYgOWYzi8GKOkLN4YQR/c/qvyUd2KK/YJnxQJ9B58aqOIHW0lDFXIiT8N4491Sie1BETVNDvBkSrK29J9TcUhw2zCwWbay6UmDRRYjlFu8tGfu7I98kEYk6vADNbVi/a78G71SK7yHDO/9RHYuMUu9x+E3O3IQ+NU+zRq/8vF4wWQYVbMx6H0PTI0tnYrb5RnrSwc6txVp5w==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=5Iiz/dt7U6oYPpLr4yhUtk1U6tV+7e56T5fGNiNYhls=; b=s6EC/13Pi4yJUKeMXoBFdr5H2Voqyd2+97KxjfIpgMbl2gjRkC5acixMxp0WZaKwlNLzNtWcIvaXKE9n3dItCxxfmC6Tr9HdwZwBqLmKzujiDOg+Un/P/mqDqeKsmrX2/T2fRKweVH8HmlGeP98NUDiicB8qeCmA+D8xHbxtHlI=
Received: from AM6PR08MB4231.eurprd08.prod.outlook.com (20.179.18.151) by AM6PR08MB4392.eurprd08.prod.outlook.com (20.179.7.141) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2305.20; Wed, 2 Oct 2019 05:32:04 +0000
Received: from AM6PR08MB4231.eurprd08.prod.outlook.com ([fe80::65f3:59ab:153:34a]) by AM6PR08MB4231.eurprd08.prod.outlook.com ([fe80::65f3:59ab:153:34a%2]) with mapi id 15.20.2305.022; Wed, 2 Oct 2019 05:32:04 +0000
From: Thomas Fossati <Thomas.Fossati@arm.com>
To: Adam Roach <adam@nostrum.com>, The IESG <iesg@ietf.org>
CC: "draft-ietf-acme-star@ietf.org" <draft-ietf-acme-star@ietf.org>, Rich Salz <rsalz@akamai.com>, "acme-chairs@ietf.org" <acme-chairs@ietf.org>, "acme@ietf.org" <acme@ietf.org>, Thomas Fossati <Thomas.Fossati@arm.com>
Thread-Topic: Adam Roach's Yes on draft-ietf-acme-star-09: (with COMMENT)
Thread-Index: AQHVeL/trQz1Zp9fXE6MjOfjyyWffadG5LSA
Date: Wed, 02 Oct 2019 05:32:04 +0000
Message-ID: <CE875B33-DA79-40CF-A5F2-A2BDC1DE4272@arm.com>
References: <156997937225.26436.58523041800874631.idtracker@ietfa.amsl.com>
In-Reply-To: <156997937225.26436.58523041800874631.idtracker@ietfa.amsl.com>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.1d.0.190908
Authentication-Results-Original: spf=none (sender IP is ) smtp.mailfrom=Thomas.Fossati@arm.com;
x-originating-ip: [82.11.185.80]
x-ms-publictraffictype: Email
X-MS-Office365-Filtering-Correlation-Id: c153e591-fc3b-4fce-b9b0-08d746f9e460
X-MS-Office365-Filtering-HT: Tenant
X-MS-TrafficTypeDiagnostic: AM6PR08MB4392:|AM6PR08MB4392:|AM0PR08MB3506:
X-MS-Exchange-PUrlCount: 2
x-ms-exchange-transport-forked: True
X-Microsoft-Antispam-PRVS: <AM0PR08MB35060CB4752DA6A1928E795B9C9C0@AM0PR08MB3506.eurprd08.prod.outlook.com>
x-checkrecipientrouted: true
x-ms-oob-tlc-oobclassifiers: OLM:10000;OLM:10000;
x-forefront-prvs: 0178184651
X-Forefront-Antispam-Report-Untrusted: SFV:NSPM; SFS:(10009020)(4636009)(396003)(346002)(366004)(376002)(136003)(39860400002)(189003)(199004)(186003)(11346002)(66946007)(102836004)(86362001)(256004)(54906003)(446003)(6486002)(2616005)(486006)(14444005)(305945005)(4326008)(7736002)(14454004)(2906002)(476003)(33656002)(66476007)(66556008)(64756008)(66446008)(8936002)(53546011)(966005)(6246003)(76116006)(3846002)(229853002)(91956017)(81166006)(81156014)(6116002)(25786009)(8676002)(6506007)(26005)(478600001)(58126008)(36756003)(99286004)(71190400001)(316002)(110136005)(71200400001)(66066001)(76176011)(6436002)(6306002)(6512007)(5660300002); DIR:OUT; SFP:1101; SCL:1; SRVR:AM6PR08MB4392; H:AM6PR08MB4231.eurprd08.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: arm.com does not designate permitted sender hosts)
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: 3Uh31dzbjMOHmOxKVWBfxi4EOuXyCEhAwLswfhFVhJZ7NLe2NRwpKHiinZOCxay3lk60NHoUPVLkPp2jYelH+0aef8tid+py4YE/2MltGNKsrNISQGbPPGZ5rlrvAmwEkJ2h/Sy6vrYOPml9f24yHD8/qugE9jSivKQc5Q0mqjIb0Khzx7ORcp8XvBgPyAsn6HRgzCJUv0B2ZNzDApa7W7XPHaEf+4brGbRe+mZ0NSbNhG6IxT082X53ah7x5HOEm3Hw6FoxtYbp/W1wGmNoT/gcK5E92wW+TPGrjR/nupqU27sabJpMzDlRGyCedvNc5MYJhLUzo4ANOi3a9qNQ7xULHsEmA1DOhc156ZgkrmLw1WuVKsHAFIHyZXCUJ9rn0Y3NipxeLDCZ/ECnRbOmaJY/xtEUQVMCO7tDZMBJfObmpXPx6AQd9kQce9pOztd+sD3HH5fnEA7szfthNqfE+A==
Content-Type: text/plain; charset="utf-8"
Content-ID: <06CB888E23D1BD4B9B7625441DF037E3@eurprd08.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM6PR08MB4392
Original-Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=Thomas.Fossati@arm.com;
X-EOPAttributedMessage: 0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: VE1EUR03FT031.eop-EUR03.prod.protection.outlook.com
X-Forefront-Antispam-Report: CIP:63.35.35.123; IPV:CAL; SCL:-1; CTRY:IE; EFV:NLI; SFV:NSPM; SFS:(10009020)(4636009)(136003)(346002)(376002)(396003)(39860400002)(199004)(189003)(40434004)(70586007)(4326008)(81156014)(8676002)(36906005)(186003)(47776003)(5660300002)(23676004)(25786009)(2486003)(8936002)(58126008)(229853002)(81166006)(110136005)(486006)(14454004)(966005)(446003)(436003)(478600001)(63350400001)(26826003)(126002)(476003)(36756003)(99286004)(11346002)(2616005)(316002)(70206006)(50466002)(6486002)(54906003)(76130400001)(3846002)(6512007)(336012)(6116002)(6306002)(356004)(14444005)(26005)(5024004)(450100002)(2906002)(6506007)(53546011)(305945005)(7736002)(6246003)(22756006)(33656002)(102836004)(76176011)(86362001)(66066001); DIR:OUT; SFP:1101; SCL:1; SRVR:AM0PR08MB3506; H:64aa7808-outbound-1.mta.getcheckrecipient.com; FPR:; SPF:TempError; LANG:en; PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com; A:1; MX:1;
X-MS-Office365-Filtering-Correlation-Id-Prvs: c5384a07-e7a1-4daa-2cef-08d746f9dbb8
X-Forefront-PRVS: 0178184651
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: hEIdB6+bYdMTeVFgL6NDbk6iqRku4wKzTDhczgnE6mYHU+q9nbFb0zLNHsJTKuA/FXV4BtGkFkRCkeWeoxd3BPpjt9t5o/vuAX6YDCU6VrAaLeCm5UNVMw91FUE2E2TTW/sQj/9uzM82q3xmptnIJ2GAGMV+N/iA9eSrZV5LjR6Jlv8cFSE7JuP/wki8lKg4dSge0HdLk+ixKv0JRdHk8fSy/x8i/YqgjW9Pboqsi8BAMQO8zQnTspWouSJR6Po5IfC8pTpr9qclKExqS/wTP7UDWxp/aOEUM/gLkAsOM4eyqbgk8KKxYiiomEk+sxuz22nRMpliE8RSHC91zXnTyCNjPGpb2Z9In3d/xSxI4sQZ1McD3WSu+WSBOs1+uoXZO4GLyEY++7SKS8XwuEzRs6eF9zo1RrqkZQbMt3uEvyXO3RS/mMzQ92Xjt7wFaFqretB03va9v5hwsbE9jU6exw==
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 02 Oct 2019 05:32:18.6027 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: c153e591-fc3b-4fce-b9b0-08d746f9e460
X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d; Ip=[63.35.35.123]; Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR08MB3506
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/bHwQKGRhdtZuh0K-DWH0C19j7fE>
Subject: Re: [Acme] Adam Roach's Yes on draft-ietf-acme-star-09: (with COMMENT)
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Oct 2019 05:32:33 -0000

Hi Adam,

Thank you very much for your review.

On 02/10/2019, 02:22, "Adam Roach via Datatracker" <noreply@ietf.org> wrote:
> §3.3:
>
> >  o  Intermediaries MAY insert or delete the value, but MUST ensure
> >     that if present, the header value equals the corresponding
> >     value within the credential.
>
> This probably isn't what you want to say. Read literally, this imposes
> a requirements on intermediaries who are neither removing nor adding
> these header fields to validate that they match the value in the
> certs.  That's clearly an unrealistic expectation. I suspect the
> intention here is that any entity who inserts a value must ensure that
> the newly inserted value matches the corresponding value in the
> certificate.

Indeed, good catch.

This and the rest of your comments have been incorporated in [1].

BTW, IESG feedback is being cumulatively processed here [2].

Cheers, thanks!

[1] https://github.com/yaronf/I-D/commit/1c8682a8e22db63dca199dc62979f516f11b975e
[2] https://github.com/yaronf/I-D/compare/acme-star-iesg-processing?expand=1



IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.