[Acme] Next steps on draft-ietf-acme-authority-token-tnauthlist
Roman Danyliw <rdd@cert.org> Thu, 20 October 2022 21:05 UTC
Return-Path: <rdd@cert.org>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C0D21C14F723 for <acme@ietfa.amsl.com>; Thu, 20 Oct 2022 14:05:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.109
X-Spam-Level:
X-Spam-Status: No, score=-2.109 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cert.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LBtOfXo2FwHz for <acme@ietfa.amsl.com>; Thu, 20 Oct 2022 14:05:37 -0700 (PDT)
Received: from USG02-CY1-obe.outbound.protection.office365.us (mail-cy1usg02on0118.outbound.protection.office365.us [23.103.209.118]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 64734C14F612 for <acme@ietf.org>; Thu, 20 Oct 2022 14:05:36 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=mgYNyfssd9k2XHZZc9wcsuKlJSIVDYrRYdmkcAB4iJJDISg2AEdRYmebDsG0DSIEJHT/XKcWewMwgMVWfpUtBWdi49xdQYVvtL5azANXJ/GMe9U0WnGDtpLNIo7ftC2F9h7wK98jqu3q8si8p+sSFu/h/NZXUVYPF7FxOuk4glM4fhILk4pSArE09LI1DUURSY2E21yiGvHrBTKEJcaaFQ/2nBommxb4TyTB0cDZ8EjgLTrNtktEJsb+qIHC9R3/xP1VjbGXy6CVIA+ehS/MykJnGcCHxCWZ6SlxEuD/NTf4izsOhuYNG0NiGHHRy3NdBU2W1kpnDFg0ZVPdo1eqQg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=CuDrY2++1B1v1+LuODPuliCTt+J+gtINsyz0XY3kNTM=; b=fjY/dq0Q7SM/q/Eljb4H3QispVNi8GLvg50iGQ6VFt2a1RHAVlFyeKxqellrje6HuqHVeDEG4cb3yZeuDWP3GgEC9jNTrFCYi27GWiUW36OV52iv3fqvYvklE25h4utn9v4R6PM2GPpr0dY4c+yiOsG96tZw/4KAJhL8O6OaPL7JxfI0YniTlMaa5zcFYtmWDpME3yu7lcRi6221rn+qJAJY+1xVZh+pyWnpsNqoA/XMjVOyf11bTrxmQNcZDnOJ22pCCTw3C4aofpHC9ENAaBVh0+Jr8E1s+CUJ8j0rB5ABvc8AP6cN9stfIacZGC18+5Y0kzA58vp5tFWQS+ziHQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cert.org; dmarc=pass action=none header.from=cert.org; dkim=pass header.d=cert.org; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cert.org; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=CuDrY2++1B1v1+LuODPuliCTt+J+gtINsyz0XY3kNTM=; b=d93t4eDnTvL0VEI/b01MsS/QHxW6y0WLbhmq2eeowGnuxG1NMcP3KmhrAibVADYSmuR+24zva5WgnXY1G93iZRfoslsc3/f/ZGnW+1EzQYeJl3xspZgAF0h5tD9wpeXv7AhBO+DGKosegNeUbADGF9aYfnxXuk9Kl+gIJ6B9ydI=
Received: from BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:168::11) by BN2P110MB1192.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:17a::5) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5709.22; Thu, 20 Oct 2022 21:05:34 +0000
Received: from BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM ([fe80::11dc:e93c:167b:f429]) by BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM ([fe80::11dc:e93c:167b:f429%6]) with mapi id 15.20.5723.034; Thu, 20 Oct 2022 21:05:34 +0000
From: Roman Danyliw <rdd@cert.org>
To: "acme@ietf.org" <acme@ietf.org>
Thread-Topic: Next steps on draft-ietf-acme-authority-token-tnauthlist
Thread-Index: AdjkxvlSSvJd7UHESP+j50l10KDJ+g==
Date: Thu, 20 Oct 2022 21:05:34 +0000
Message-ID: <BN2P110MB110775D11A158AFD53D15535DC2A9@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cert.org;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: BN2P110MB1107:EE_|BN2P110MB1192:EE_
x-ms-office365-filtering-correlation-id: 8d731844-b5ab-457e-d979-08dab2ded482
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: Tb5GyIr8zdspW1kqJBf07cxeLXpgo/4Hs3ja9E4gzv7AY0P6SeV1PxIYJ0BM9wd+xMas48Ecg98rbvd7r7Fm2k6YL1orSlvWVy8jx7S1yf507Hglvxyi0GvzSWUriRdks7PNjLHxB/IQf8ciSHXAzotaetsPoRRiWaDx3ZC7IyvS0XKiEs2kJnUaEjXkTMoycojoQL/ccsp0pcd8tOgtcNYY5fUI0aXAdNNjVvPWhyCKMm+P5c7nxHHJwrKZTVOmWlCnMKuySrmtFTVB0PdJ/HA/fdVrQP/vkYbDDbqp1wzUw13ekxTWS1UMUdLpjSZQEN8joXGcFpXeFzk2QrqVFDNMfubUlb1h8PxDs40gANbePCfF3GG9yq9VnJeCfa2uRSdpj6R0H+/i59pHYN5SWh4IPkbV/5ZZG+B9xk+tkUNx8q1emPlG6iaLAAkI4YBaCiUiaQdp7kRPKEFCNIrydFYRw4BVhCs9WJ6f2dXx1SKBZZKBE+mUu27gzKa2DPb4ru5aJyeS96Hhq6t81+uX37ybtDYAylU9UMmqHGbn4YPxwh5LunEkCU3xC+emMUs5SQZ8vu8c+qG8vRYhH3GDuFSIMEgpkw+wQSpiIi8rnDEMplPBU05zgYJXvK+y8fUSoHPe9eSgIxhJqs1wX3knaC/VP0KM+nkx6yMkk1htPUTm4wpe8TocbtnAVl+q+Wpp0p+v6zQd2wLziM7PTlhhnQ==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230022)(366004)(451199015)(76116006)(33656002)(86362001)(82960400001)(5660300002)(498600001)(122000001)(2906002)(186003)(55016003)(66574015)(38070700005)(83380400001)(6916009)(9686003)(19627235002)(7696005)(38100700002)(66946007)(6506007)(26005)(66476007)(71200400001)(66446008)(66556008)(52536014)(8936002)(8676002)(966005)(64756008); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: eNq3O0HFQD0dywlhr2pxgcpQ7XNQb3PFO1hHzS3jGAplptWjyjmBOCM6CY0Ad5jRmBPwPTkknMyVB67Q8rhAAA+5pw68ulMzBrjxRDNVleFH+R/ojHEOabuToN+iRoqywZxNUiNCTZun4xlWJ+fwX6mtk0JR1kOZkTAtQvPPiNYMeIR/gU9yUKchQUKQsLFIWWbJOazsb2+miYw/dOX06ERRLvxmXs6DZcxpgUutLWPVaFxSq9/NIifRvTihFYhZfhKqVcoZUEMj3oFI0QviZsVpJQ9UaUoFHZ2lPc8uHLaObz6pL7GGItn+XHToFITKWQaGwj4sBK8uAzwEtxJCWoixDAfJRkWKAoEKtIP2x2MZwtlTWMRYOAh4i1cDKbnjhiehzd5UFWGRrErbPTq9daeRthmJBWdE501UYjn+IGc=
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: cert.org
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 8d731844-b5ab-457e-d979-08dab2ded482
X-MS-Exchange-CrossTenant-originalarrivaltime: 20 Oct 2022 21:05:34.4019 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 95a9dce2-04f2-4043-995d-1ec3861911c6
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN2P110MB1192
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/f4w1gLQGCnKZ51OaRhkKeusA_Fs>
Subject: [Acme] Next steps on draft-ietf-acme-authority-token-tnauthlist
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Oct 2022 21:05:41 -0000
Hi! Thanks for the WGLC to confirm the changes made to draft-ietf-acme-authority-token-tnauthlist in response to the IESG review. I've asked the three ADs holding DISCUSS positions to re-review the document. I also reviewed the document again and went through the diffs with the chairs and Sean Turner (ARTART reviewer) (thank you!) to generate the following list of additional edits to make or discussion to have: (1) Per Paul's ballot held for Francesca ==[ snip ]== ** Section 3. FP: the response is missing the Content-Type field ==[ snip ]== Edit to make: OLD: HTTP/1.1 201 Created Replay-Nonce: MYAuvOpaoIiywTezizk5vw Location: https://example.com/acme/order/1234 NEW: HTTP/1.1 201 Created Content-Type: application/json Replay-Nonce: MYAuvOpaoIiywTezizk5vw Location: https://example.com/acme/order/1234 (2) Per Éric ballot ==[ snip ]== -- Section 6 -- In "then the CA MUST set the challenge object "status" to "valid"", isn't it up to the ACME server to do this action ? ==[ snip ]== Edit to make: s/then the CA MUST/then the ACME server MUST/ (3) Per Lar's ballot -- Section 5.4: OLD "ca" is an optional key, if it not included the "ca" value is considered false by default. NEW "ca" is an optional key, if not included the "ca" value is considered false by default. -- Section 9: s/a SPC/an SPC (4) Per Ben's ballot ==[ snip ]== (3) I think my discuss point on draft-ietf-acme-authority-token about how the issuer is identified will also apply (with slight modification) to this document -- in §5.1 we have text that indicates either "iss" or "x5u" identifies the issuer, which I do not believe to be accurate. ==[ snip ]= 5.1. "iss" claim The "iss" claim is an optional claim defined in [RFC7519] Section 4.1.1. It can be used as a URL identifying the Token Authority that issued the TNAuthList Authority Token beyond the "x5u" or other Header claims that identify the location of the certificate or certificate chain of the Token Authority used to validate the TNAuthList Authority Token. Why does draft-ietf-acme-authority-token allow for the possibility of "x5c", but the text here doesn't mention it? Thanks, Roman
- [Acme] Next steps on draft-ietf-acme-authority-to… Roman Danyliw
- Re: [Acme] Next steps on draft-ietf-acme-authorit… Chris Wendt