Re: [Acme] WG Last Call for draft-ietf-acme-integrations-07
Deb Cooley <debcooley1@gmail.com> Thu, 16 June 2022 10:36 UTC
Return-Path: <debcooley1@gmail.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7C0D6C14CF05 for <acme@ietfa.amsl.com>; Thu, 16 Jun 2022 03:36:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.853
X-Spam-Level:
X-Spam-Status: No, score=-1.853 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZMqR7H9HYwe0 for <acme@ietfa.amsl.com>; Thu, 16 Jun 2022 03:35:59 -0700 (PDT)
Received: from mail-oa1-x30.google.com (mail-oa1-x30.google.com [IPv6:2001:4860:4864:20::30]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 17A6AC14F74E for <acme@ietf.org>; Thu, 16 Jun 2022 03:35:59 -0700 (PDT)
Received: by mail-oa1-x30.google.com with SMTP id 586e51a60fabf-fe15832ce5so1377021fac.8 for <acme@ietf.org>; Thu, 16 Jun 2022 03:35:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=iOu8SIY0LA5mPA7ryLPoNkNl4TVqJcpV6sFtgqPhEBI=; b=QKx4grTrlCREkSgexHBiFizmiq8k607L2HIAtVbY2hNz+4+9O6aGQJcx8EFHH5cyWn Ip6uJ70cbXBU+F+uQSfDSPx7juBnqVJeqNseVzvqWPU3C03drhO+myrzbGVRLyo/CPM+ PSm1dQOs0pWg42FxL7KcH2W4Qp+inaCxMwYDxBBcZ/20I4kpmykHBuBSR0oy3lSsmpkF or8ZSrPxQOQAv6IdAPf7lg7mynuQs3Efp1HxMZ7gtzWLCBPj1gI6dIAFj/i7x1sN4GKE 2oJe2CKkzepDuhTqwCgiAICSNDQ+G8R8pBGRyCvm9HKIZv3hni/uRbU25LB7sv21RHp5 ozfQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=iOu8SIY0LA5mPA7ryLPoNkNl4TVqJcpV6sFtgqPhEBI=; b=HaRmhMWjCQzvRRKopB6KerRTMgQFOVBWGUuCD3Rrsyffq1oX4Fggynz2idOPhdhXcm o6pUKpHzt7AevkX0SkKiZfeI0XJuvBvSi8Mybmo2/JotzRN8ko8JWjR0l685bnhuedm3 ugc3icImZWdYFU8bhcWz1y0XTlEDgS16ZLjxof6YYON8lMe4N4P4DkW1VoaFczOGb/yg B2Aj+S3xZ7v2oXsqyCGbkatOkHiQfyg9LIWJtqpRaDZWEbgQGcfljCc0IXgQzSwaseGV gVfuCQWZ/Es0Pxj7EUk+4MvsKzFdrvfCQWC0EvXFBEXt9jY6Qn79lh72Kb3bAp9becuw ysfw==
X-Gm-Message-State: AJIora8i9oKNg5KWx5b1vfwCW1oMqG4aVBn+I9J2VC+0dWET+21OMz6f G4vtGhxwYBAy4QKhakPVBRaCAeqXcfe5n6E6RLWJZsE=
X-Google-Smtp-Source: AGRyM1syX/7xM4C7GU/BFTA5hLiIWHampNUAkAkcK1g54jNP6WkZpGBi7uWlnK1O6KIUsrIuVMWHr2LHeTVh2gkssGE=
X-Received: by 2002:a05:6870:6195:b0:100:ee8a:ce86 with SMTP id a21-20020a056870619500b00100ee8ace86mr7852628oah.40.1655375758115; Thu, 16 Jun 2022 03:35:58 -0700 (PDT)
MIME-Version: 1.0
References: <CAGgd1OfQ6D-1GXkBHrSi3CvRZFqzvZaLCPz1mbKgUXij2=L6Ww@mail.gmail.com> <ACB2EC99-69D1-4294-8692-F9021C03C0DA@vigilsec.com> <E81B9D37-ECB3-442D-8270-95DE68406D02@redhoundsoftware.com>
In-Reply-To: <E81B9D37-ECB3-442D-8270-95DE68406D02@redhoundsoftware.com>
From: Deb Cooley <debcooley1@gmail.com>
Date: Thu, 16 Jun 2022 06:35:47 -0400
Message-ID: <CAGgd1OcQmqBweKKgjYxP5se4q5UYmNjA87SN3SV770+xk7ss7Q@mail.gmail.com>
To: IETF ACME <acme@ietf.org>
Cc: Dorothy E Cooley <decoole@radium.ncsc.mil>
Content-Type: multipart/alternative; boundary="0000000000000848bc05e18e3421"
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/bnJ6IsuypbD4byIQPqW7KxSGT1M>
Subject: Re: [Acme] WG Last Call for draft-ietf-acme-integrations-07
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Jun 2022 10:36:03 -0000
Thanks for the two reviews w/ comments. When the authors have addressed the comments, we can issue a short WGLC. For the ACME chairs, Deb Cooley On Fri, May 27, 2022 at 9:44 AM Carl Wallace <carl@redhoundsoftware.com> wrote: > I’ll reply here to add one comment. The introduction of the potential for > errors due to domains the RA is authorized for and those may be requested > is not called out to any extent. It is likely something that is mostly > addressed by authentication to the RA and could be noted as such in section > 7.1. Section 7.5 gets at the issue with the mapping for badIdentity, but > it could be called out as something that occurs upon submission of request > to the RA (vs mapping an ACME error back to the protocol of interest after > failed interaction with the ACME server). > > > > *From: *Acme <acme-bounces@ietf.org> on behalf of Russ Housley < > housley@vigilsec.com> > *Date: *Thursday, May 26, 2022 at 10:25 AM > *To: *Deb Cooley <debcooley1@gmail.com>, Dorothy E Cooley < > decoole@radium.ncsc.mil> > *Cc: *IETF ACME <acme@ietf.org> > *Subject: *Re: [Acme] WG Last Call for draft-ietf-acme-integrations-07 > > > > I have a few comments. Only one of them will be difficult to sort out. > > > > Section 1, para 1: Please add a cite to [RFC5280] after "X.509 (PKIX) > certificate". > > > > Section 1, last para: Please reword. Something like: > > > > Optionally, ACME for subdomains [I-D.ietf-acme-subdomains] offers a > > useful optimization when ACME is used to issue certificates for large > > numbers of devices; it reduces the domain ownership proof traffic as > > well as the ACME traffic overhead. This is accomplished by completing > > a challenge against the parent domain instead of a challenge against > > each explicit subdomain. Use of ACME for subdomains is not a > > necessary requirement. > > > > Section 2: Please add a reference for CSR. Consider [RFC2986]. > > > > Section 2: Please add a reference for RA. Consider [RFC5280]. > > > > Section 2: Please add a reference for TLV. Consider [RFC7170]. > > > > Section 4: Please fix the markdown typo: Refer to section {csr-attributes} > for more details. > > > > Section 7.2 says: > > > > EST [RFC7030] is not clear on how the CSR Attributes response should > > be structured, and in particular is not clear on how a server can > > instruct a client to include specific attribute values in its CSR. > > [I-D.richardson-lamps-rfc7030-csrattrs] clarifies how a server can > > use CSR Attributes response to specify specific values for attributes > > that the client should include in its CSR. > > > > Servers MUST use this mechanism to tell the client what identifiers > > to include in CSR request. ... > > > > This is a MUST, but is is not really nailed down. Can we get to a simple > MUST statement here? If not, can we at least narrow the possibilities? > > > > Section 7.2: s/The identifier must/The identifier MUST/ > > > > Section 7.3: s/certificate MAY be omitted from the chain/certificate > SHOULD be omitted from the chain/ > > > > Section 7.3.2: Please provide references for PKCS#7 and PKCS#10. > > > > Section 7.4: s/id-kp-cmcRA extended key usage bit/id-kp-cmcRA extended key > usage OID/ (multiple places) > > > > Russ > > > > > > On May 26, 2022, at 6:58 AM, Deb Cooley <debcooley1@gmail.com> wrote: > > > > Title: ACME Integrations > > > > Authors: O.Friel, R.Barnes, R. Shekh-Yusef, M.Richardson > > Datatracker: > https://datatracker.ietf.org/doc/draft-ietf-acme-integrations/ > <https://datatracker.ietf.org/doc/draft-ietf-lamps-8410-ku-clarifications> > > This document outlines multiple advanced use cases and integrations that ACME facilitates without any modifications or > enhancements required to the base ACME specification. The use cases include ACMEintegration with EST, BRSKI and TEAP. > > > Please respond to this WG last Call by 9 June 2022. > > For the ACME WG Chairs, > Deb > > _______________________________________________ > Acme mailing list > Acme@ietf.org > https://www.ietf.org/mailman/listinfo/acme > > > > _______________________________________________ Acme mailing list > Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme >
- [Acme] WG Last Call for draft-ietf-acme-integrati… Deb Cooley
- Re: [Acme] WG Last Call for draft-ietf-acme-integ… Russ Housley
- Re: [Acme] WG Last Call for draft-ietf-acme-integ… Carl Wallace
- Re: [Acme] WG Last Call for draft-ietf-acme-integ… Deb Cooley
- Re: [Acme] WG Last Call for draft-ietf-acme-integ… Owen Friel (ofriel)