Re: [Acme] WG Last Call for draft-ietf-acme-integrations-07
Russ Housley <housley@vigilsec.com> Thu, 26 May 2022 14:25 UTC
Return-Path: <housley@vigilsec.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8763EC1850EB for <acme@ietfa.amsl.com>; Thu, 26 May 2022 07:25:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r0RpRx-6tQ04 for <acme@ietfa.amsl.com>; Thu, 26 May 2022 07:25:34 -0700 (PDT)
Received: from mail3.g24.pair.com (mail3.g24.pair.com [66.39.134.11]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 34169C15790C for <acme@ietf.org>; Thu, 26 May 2022 07:25:34 -0700 (PDT)
Received: from mail3.g24.pair.com (localhost [127.0.0.1]) by mail3.g24.pair.com (Postfix) with ESMTP id 199881784B6; Thu, 26 May 2022 10:25:33 -0400 (EDT)
Received: from [192.168.1.161] (pool-141-156-161-153.washdc.fios.verizon.net [141.156.161.153]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail3.g24.pair.com (Postfix) with ESMTPSA id 07B8A1787CE; Thu, 26 May 2022 10:25:33 -0400 (EDT)
From: Russ Housley <housley@vigilsec.com>
Message-Id: <ACB2EC99-69D1-4294-8692-F9021C03C0DA@vigilsec.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_857A8E43-3A8B-41E1-9791-DE1792E73427"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.21\))
Date: Thu, 26 May 2022 10:25:31 -0400
In-Reply-To: <CAGgd1OfQ6D-1GXkBHrSi3CvRZFqzvZaLCPz1mbKgUXij2=L6Ww@mail.gmail.com>
Cc: IETF ACME <acme@ietf.org>
To: Deb Cooley <debcooley1@gmail.com>, Dorothy E Cooley <decoole@radium.ncsc.mil>
References: <CAGgd1OfQ6D-1GXkBHrSi3CvRZFqzvZaLCPz1mbKgUXij2=L6Ww@mail.gmail.com>
X-Mailer: Apple Mail (2.3445.104.21)
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/idADSdhx2EkXdUfiUsOdKNBdHrA>
Subject: Re: [Acme] WG Last Call for draft-ietf-acme-integrations-07
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 May 2022 14:25:38 -0000
I have a few comments. Only one of them will be difficult to sort out.
Section 1, para 1: Please add a cite to [RFC5280] after "X.509 (PKIX) certificate".
Section 1, last para: Please reword. Something like:
Optionally, ACME for subdomains [I-D.ietf-acme-subdomains] offers a
useful optimization when ACME is used to issue certificates for large
numbers of devices; it reduces the domain ownership proof traffic as
well as the ACME traffic overhead. This is accomplished by completing
a challenge against the parent domain instead of a challenge against
each explicit subdomain. Use of ACME for subdomains is not a
necessary requirement.
Section 2: Please add a reference for CSR. Consider [RFC2986].
Section 2: Please add a reference for RA. Consider [RFC5280].
Section 2: Please add a reference for TLV. Consider [RFC7170].
Section 4: Please fix the markdown typo: Refer to section {csr-attributes} for more details.
Section 7.2 says:
EST [RFC7030] is not clear on how the CSR Attributes response should
be structured, and in particular is not clear on how a server can
instruct a client to include specific attribute values in its CSR.
[I-D.richardson-lamps-rfc7030-csrattrs] clarifies how a server can
use CSR Attributes response to specify specific values for attributes
that the client should include in its CSR.
Servers MUST use this mechanism to tell the client what identifiers
to include in CSR request. ...
This is a MUST, but is is not really nailed down. Can we get to a simple MUST statement here? If not, can we at least narrow the possibilities?
Section 7.2: s/The identifier must/The identifier MUST/
Section 7.3: s/certificate MAY be omitted from the chain/certificate SHOULD be omitted from the chain/
Section 7.3.2: Please provide references for PKCS#7 and PKCS#10.
Section 7.4: s/id-kp-cmcRA extended key usage bit/id-kp-cmcRA extended key usage OID/ (multiple places)
Russ
> On May 26, 2022, at 6:58 AM, Deb Cooley <debcooley1@gmail.com> wrote:
>
> Title: ACME Integrations
>
> Authors: O.Friel, R.Barnes, R. Shekh-Yusef, M.Richardson
>
> Datatracker: https://datatracker.ietf.org/doc/draft-ietf-acme-integrations/ <https://datatracker.ietf.org/doc/draft-ietf-lamps-8410-ku-clarifications>
>
> This document outlines multiple advanced use cases and integrations that ACME facilitates without any modifications or
> enhancements required to the base ACME specification. The use cases include ACMEintegration with EST, BRSKI and TEAP.
>
> Please respond to this WG last Call by 9 June 2022.
>
> For the ACME WG Chairs,
> Deb
> _______________________________________________
> Acme mailing list
> Acme@ietf.org
> https://www.ietf.org/mailman/listinfo/acme
- [Acme] WG Last Call for draft-ietf-acme-integrati… Deb Cooley
- Re: [Acme] WG Last Call for draft-ietf-acme-integ… Russ Housley
- Re: [Acme] WG Last Call for draft-ietf-acme-integ… Carl Wallace
- Re: [Acme] WG Last Call for draft-ietf-acme-integ… Deb Cooley
- Re: [Acme] WG Last Call for draft-ietf-acme-integ… Owen Friel (ofriel)