Re: [Acme] I-D Action: draft-ietf-acme-email-smime-10.txt
Fraser Tweedale <frase@frase.id.au> Thu, 12 November 2020 11:53 UTC
Return-Path: <frase@frase.id.au>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8044C3A02BC for <acme@ietfa.amsl.com>; Thu, 12 Nov 2020 03:53:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iRfYNf3mZPpd for <acme@ietfa.amsl.com>; Thu, 12 Nov 2020 03:53:37 -0800 (PST)
Received: from mail16.tpgi.com.au (mail16.tpgi.com.au [203.12.160.231]) by ietfa.amsl.com (Postfix) with ESMTP id 7A8C73A0141 for <acme@ietf.org>; Thu, 12 Nov 2020 03:53:37 -0800 (PST)
X-TPG-Junk-Status: Message not scanned
X-TPG-Abuse: host=123-243-182-129.static.tpgi.com.au; ip=123.243.182.129; date=Thu, 12 Nov 2020 22:53:34 +1100
Received: from bacardi.hollandpark.frase.id.au (123-243-182-129.static.tpgi.com.au [123.243.182.129]) by mail16.tpgi.com.au (envelope-from frase@frase.id.au) (8.14.3/8.14.3) with ESMTP id 0ACBrWYB031929 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Thu, 12 Nov 2020 22:53:34 +1100
Received: from bacardi.hollandpark.frase.id.au (localhost [127.0.0.1]) by bacardi.hollandpark.frase.id.au (8.15.2/8.15.2) with ESMTPS id 0ACBrV3F038138 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NO); Thu, 12 Nov 2020 21:53:32 +1000 (EST) (envelope-from frase@frase.id.au)
Received: (from fraser@localhost) by bacardi.hollandpark.frase.id.au (8.15.2/8.15.2/Submit) id 0ACBrVbQ038137; Thu, 12 Nov 2020 21:53:31 +1000 (EST) (envelope-from frase@frase.id.au)
X-Authentication-Warning: bacardi.hollandpark.frase.id.au: fraser set sender to frase@frase.id.au using -f
Date: Thu, 12 Nov 2020 21:53:31 +1000
From: Fraser Tweedale <frase@frase.id.au>
To: Alexey Melnikov <alexey.melnikov@isode.com>
Cc: acme@ietf.org
Message-ID: <20201112115331.GA95535@bacardi.hollandpark.frase.id.au>
References: <160380657214.27888.3086590447019877950@ietfa.amsl.com> <20201112081453.GZ95535@bacardi.hollandpark.frase.id.au> <e40cb78c-6bc1-c572-a596-e39e53180bda@isode.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <e40cb78c-6bc1-c572-a596-e39e53180bda@isode.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/e_HEgK3STrspGk7H0hD4qTrH8bs>
Subject: Re: [Acme] I-D Action: draft-ietf-acme-email-smime-10.txt
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Nov 2020 11:53:40 -0000
On Thu, Nov 12, 2020 at 10:03:32AM +0000, Alexey Melnikov wrote:
> Hi Fraser,
>
> Thank you for your comments.
>
> On 12/11/2020 08:14, Fraser Tweedale wrote:
> > Hello!
> >
> > I have some issues with this proposal.
> >
> > 1. It does not adequately explain how the ACME client receives
> > token-part2. "Over HTTPS" is vague. Presumably it comes as a field
> > in the challenge object, e.g.
> >
> > "challenges": [
> > {
> > "type": "email-reply-01",
> > "url": "https://example.com/acme/chall/prV_B7yEyA4",
> > "token-part2": "DGyRejmCefe7v4NfDGDKfA"
> > }
> > ]
> Yes.
> > This needs to be fully specified in the document.
> >
> > 2. It is not stated whether, in addition to sending the response
> > email, the client also has to POST to the challenge URL as specified
> > in RFC 8555 Section 7.5.1 (e.g. to signal that the email has been
> > sent and the server should prepare to receive and process it).
> This might not always be possible when a MUA that doesn't support this
> proposal directly is to be used. But I agree that this needs to be
> clarified one way or another.
>
Alexey, thank you for your quick reply.
If an MUA does not support this proposal directly (i.e. with
integrated ACME client) it will also not be able to create the
order, or finalize it and retrieve certificate. You have to use a
separate ACME client alongside the MUA. Therefore it seems OK to
require the ACME client to POST to the challenge URL. User workflow
would be something like:
1. Use ACME client to submit order, awaits challenge email.
2. Receives challenge email, construct response email (perhaps with
guidance/assistance of ACME client) and send.
3. Tell ACME client that response was sent. ACME client POSTS to
challenge URL, polls authz resource and, if all went well,
finalizes order and emits certificate.
> > I suggest explicitly requiring the client to POST to the challenge
> > URL to advise the server to prepare to receive and validate it.
> > This is what RFC 8555 implies a client should do, and facilitates
> > different approaches to server implementation.
> Yes, based on feedback from other people I realised that this is
> underspecified. I will add description of you points #1 and #2 in the
> next revision.
> > 3. What is the motivation for supporting both text/plain and
> > multipart/alternative in the body of the response email? This
> > complicates server implementations, but I can't think why it would
> > be needed. Please either explain why both options are needed,
> > otherwise could it be limited to text/plain?
>
> Basically this needs to work with existing email clients as is and this
> is not something that can always (or easily) be controlled by users. A
> lot of them will generated multipart/alternative instead of text/plain,
> especially if they want to include nicely formatted HTML.
>
Makes sense. Could you please mention this reason in the document?
Thanks,
Fraser
> Best Regards,
>
> Alexey
>
- [Acme] I-D Action: draft-ietf-acme-email-smime-10… internet-drafts
- Re: [Acme] I-D Action: draft-ietf-acme-email-smim… Alexey Melnikov
- Re: [Acme] I-D Action: draft-ietf-acme-email-smim… Fraser Tweedale
- Re: [Acme] I-D Action: draft-ietf-acme-email-smim… Alexey Melnikov
- Re: [Acme] I-D Action: draft-ietf-acme-email-smim… Fraser Tweedale
- Re: [Acme] I-D Action: draft-ietf-acme-email-smim… Alexey Melnikov
- Re: [Acme] I-D Action: draft-ietf-acme-email-smim… Alexey Melnikov