[Acme] AD review of draft-ietf-acme-authority-token-tnauthlist-06

Roman Danyliw <rdd@cert.org> Wed, 14 October 2020 17:03 UTC

Return-Path: <rdd@cert.org>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id E70633A08CA for <acme@ietfa.amsl.com>; Wed, 14 Oct 2020 10:03:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cert.org
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id iKatUHYtcSoi for <acme@ietfa.amsl.com>; Wed, 14 Oct 2020 10:03:45 -0700 (PDT)
Received: from taper.sei.cmu.edu (taper.sei.cmu.edu []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7C2F53A0840 for <acme@ietf.org>; Wed, 14 Oct 2020 10:03:45 -0700 (PDT)
Received: from delp.sei.cmu.edu (delp.sei.cmu.edu []) by taper.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id 09EH3i6K007695 for <acme@ietf.org>; Wed, 14 Oct 2020 13:03:44 -0400
DKIM-Filter: OpenDKIM Filter v2.11.0 taper.sei.cmu.edu 09EH3i6K007695
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cert.org; s=yc2bmwvrj62m; t=1602695024; bh=i3crPMTRsXLgQIjag2hvyMAKObuRcQYmv1FADgqpxRU=; h=From:To:Subject:Date:From; b=F0Y11PaxIhzxbiCqrMNE0YWFuisaERn0QMJuylR3VicjrgHbXLMg+JjClTaESS7jD RHRSbNxUX0nQgz2eq7f7yHRBdPJ/qyLMF7NH81f2zQ+B7x22y5LrRy2srNyLplcO4Z zIvJI1yN9hx6w38v9MQ/4oLhS2TdjM8LxMTyjfsc=
Received: from MURIEL.ad.sei.cmu.edu (muriel.ad.sei.cmu.edu []) by delp.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id 09EH3h8O024061 for <acme@ietf.org>; Wed, 14 Oct 2020 13:03:43 -0400
Received: from MORRIS.ad.sei.cmu.edu ( by MURIEL.ad.sei.cmu.edu ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1979.3; Wed, 14 Oct 2020 13:03:43 -0400
Received: from MORRIS.ad.sei.cmu.edu ([fe80::555b:9498:552e:d1bb]) by MORRIS.ad.sei.cmu.edu ([fe80::555b:9498:552e:d1bb%13]) with mapi id 15.01.1979.003; Wed, 14 Oct 2020 13:03:43 -0400
From: Roman Danyliw <rdd@cert.org>
To: IETF ACME <acme@ietf.org>
Thread-Topic: AD review of draft-ietf-acme-authority-token-tnauthlist-06
Thread-Index: AdaiS5HgP06Bl41hSYGCWIW3DKN2/g==
Date: Wed, 14 Oct 2020 17:03:42 +0000
Message-ID: <61b6d533b57e468e83bb4f92e3d6d5d5@cert.org>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/cm1YAPpwOF8FVESGrdLh0bvkCfk>
Subject: [Acme] AD review of draft-ietf-acme-authority-token-tnauthlist-06
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Oct 2020 17:03:47 -0000


I performed an AD review of draft-ietf-acme-authority-token-tnauthlist-06.  Below is my feedback.  There might be some negotiation between what text should be here as opposed to draft-ietf-acme-authority-token.

** From idnits (with commentary)

  == Unused Reference: 'ATIS-1000074' is defined on line 565, but no explicit
     reference was found in the text

  == Unused Reference: 'RFC8588' is defined on line 583, but no explicit
     reference was found in the text

  == Outdated reference: A later version (-05) exists of

  == Outdated reference: A later version (-02) exists of

  ** Obsolete normative reference: RFC 2616 (Obsoleted by RFC 7230, RFC 7231,
     RFC 7232, RFC 7233, RFC 7234, RFC 7235)

I believe RFC7235 is the appropriate replacement

  ** Downref: Normative reference to an Informational RFC: RFC 4949

  ** Downref: Normative reference to an Informational RFC: RFC 7340

I don't believe that RFC7340 needs to be normative.

** Section 3.  Editorial. Please update the various dates in examples to be in 2020 (not 2016) so they more closely reflect the publication date

** Section 4.  Per "a CA MUST use the Authority Token challenge mechanism defined in [I-D.ietf-acme-authority-token]", does this text mean "type = tkauth-01" or "type = tkauth-01; tkauth-type = atc"?

** Section 5.  For clarity, it is likely worth repeating that exp, jti and atc are mandatory.

** Section 5.4.  The example of the TNAuthList AT seems to be missing the full payload/protected /signature structure to show the actual binding provided by the server

** Section 5.5.  What the semantics of the response from the authority server described here are different than what is in draft-ietf-acme-authority-token (Section 5: "... in the success case the Token Authority returns a 200 OK with a body of type "application/json" containing the Authority Token").   What is being returned here is not strictly the authority token format.

** Section 5.5.  Per the last paragraph, no issues with the guidance here.  However, it seems odd that this generic behavior is specified here and not in draft-ietf-acme-authority-token.  Generally, speaking all of this normative text for this protocol between the client and the TA should be specified in the authority-token draft so that future profiles (not tnauthlist) can use it.

** Section 8.  Please add that this document inherits the security properties of draft-ietf-acme-authority-token.

** Section 9.  Editorial.  Explicitly name the registry.

This document requests the addition of a new identifier object type
   that can be present in the identifier field of the ACME authorization
   object defined in [RFC8555].

This document requests the addition of a new identifier type to the "ACME Identifier Types" registry defined in Section 9.7.7 of [RFC8555].