Re: [Acme] I-D Action: draft-ietf-acme-ari-03.txt
Aaron Gable <aaron@letsencrypt.org> Tue, 27 February 2024 05:25 UTC
Return-Path: <aaron@letsencrypt.org>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D658DC18DB9B for <acme@ietfa.amsl.com>; Mon, 26 Feb 2024 21:25:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=letsencrypt.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GF_BV_cDaY6e for <acme@ietfa.amsl.com>; Mon, 26 Feb 2024 21:24:57 -0800 (PST)
Received: from mail-oa1-x31.google.com (mail-oa1-x31.google.com [IPv6:2001:4860:4864:20::31]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 61E49C1782B5 for <acme@ietf.org>; Mon, 26 Feb 2024 21:24:09 -0800 (PST)
Received: by mail-oa1-x31.google.com with SMTP id 586e51a60fabf-21fa97a9c53so1665693fac.3 for <acme@ietf.org>; Mon, 26 Feb 2024 21:24:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=letsencrypt.org; s=google; t=1709011448; x=1709616248; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=bLor3VvDNnB++xaiNc//I/5mIkvHSNePLfGbR2yeLyU=; b=YFoO3ioz8G8ohUvWsFc2Y+CiQ2j7pN6it0SG5kbgIS6ac6GMgZDLRZIWHYY+/rgULE DeFYf7Nel8+ngcc0o7lGTU2VS0ygv4kbuXGlSJjMVcS0D5R9bd1jLLCQN1vriVV0TxUU 78DjCbHF7iOUlqrAPITACOrLCV4f8fpDHSTus=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1709011448; x=1709616248; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=bLor3VvDNnB++xaiNc//I/5mIkvHSNePLfGbR2yeLyU=; b=j+o2/TAQNAnZPlUw8AvWX2RRkvIylIxFmHtDngeH4iw97TT36H483kqk8kUxxXN+Es M6knWM4q6Eb6B9cQ2YgwXM3W7/1j0dpjvkB8GAPFgsiTq/HgFgQ5emD/jWgJ5NS0W8Mc 5Jbw3mHyXiTO0r/eL81dyuc9ZLOuGwNJxVrElFg62TkF5+RSLl7O2BrEkddO9K0PjXuR FO4E7bcVPD9gqbT4ffw4/QJnzwfuijETtjnalERt/Ztx25kZXc9ZambhkwFAyZwMw0Sf q3RzfThv0PhIx/4J6w9Go8RXl6JBzTsCjQOvGftRbC+MmdcQXkBF1v75x/OflHLqpFKx X4Mg==
X-Gm-Message-State: AOJu0YxJMitD02K+2FAd2dAIo1is47lSLeEaVLgCCuAe7kk5te6XcKPu U9c4Q7eRNYnuYJhw5zG4a4IffjjtCiA4F3e+0ay2JfYhahGRCvLChgxSRhgOkZlLov8BwMwHSqc rHL1ljisSjS6iwR+FT0q7M04bFJt59UFsxeQi7g4jiQTibQaC4O4x3A==
X-Google-Smtp-Source: AGHT+IEs94YVbjnxM8hTKvRJo7XFLnQWwb+uecsBvbmeL6Wma8MGzrsMvuzXMjSUv/DB3N8XA4HD728qzvytziyFWbg=
X-Received: by 2002:a05:6871:58f:b0:21e:b695:dff5 with SMTP id u15-20020a056871058f00b0021eb695dff5mr10188519oan.20.1709011448259; Mon, 26 Feb 2024 21:24:08 -0800 (PST)
MIME-Version: 1.0
References: <170742607913.20668.4615074555122263660@ietfa.amsl.com> <D16919B8-E602-4DA0-AF0A-D02EC327F019@redhoundsoftware.com>
In-Reply-To: <D16919B8-E602-4DA0-AF0A-D02EC327F019@redhoundsoftware.com>
From: Aaron Gable <aaron@letsencrypt.org>
Date: Mon, 26 Feb 2024 21:23:57 -0800
Message-ID: <CAEmnEreT3MGMr7rEMDJf4D6dMyRt+AU0ySyPtby8b_t9ZheX7g@mail.gmail.com>
To: Carl Wallace <carl@redhoundsoftware.com>
Cc: acme@ietf.org
Content-Type: multipart/alternative; boundary="0000000000004a7c160612563c74"
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/jKok6iVTjB7WWIheWX-3L_SR5as>
Subject: Re: [Acme] I-D Action: draft-ietf-acme-ari-03.txt
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Feb 2024 05:25:01 -0000
On Mon, Feb 26, 2024 at 4:36 AM Carl Wallace <carl@redhoundsoftware.com> wrote: > Two comments on the third paragraph of section 4.1: > > - The addition of section identifiers for the references makes the > sentences harder to read. Maybe wrapping the section identifiers and > reference in parentheses. > Thanks, this feedback is appreciated. I've gone back and forth a lot on how best to do these references, and tried a bunch of different things, and this was my favorite phrasing so far. Unfortunately putting them in parentheses causes the resulting sentence to not read in plain English, unless I'm misunderstanding your suggestion? > - The preparation of the URI uses the keyIdentifier field of > AuthorityKeyIdentifier. That field is optional. What should occur if it is > absent (or if AKID is absent)? Given 5280 requires uniqueness for issuer > name and serial and the issuer field is not optional, would the issuer > field make for a better target than AKID? If this mechanism only applies to > certs that conform to a profile that requires presence of key identifier in > the AKID extension, state that up front. > This is a very interesting point. RFC 5280 requires both that the AKID extension be present and that the keyIdentifier field be present within it (Section 4.2.1.1 <https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1>: "The keyIdentifier field of the authorityKeyIdentifier extension MUST be included in all certificates generated by conforming CAs to facilitate certification path construction."). So it's not obvious to me that the issuer name + serial uniqueness is any *more* required than the existence of the keyIdentifier field. Do other members of this list think that using some form of the Issuer Name bytes would be better than using the keyIdentifier? Thanks again, Aaron
- [Acme] I-D Action: draft-ietf-acme-ari-03.txt internet-drafts
- Re: [Acme] I-D Action: draft-ietf-acme-ari-03.txt Carl Wallace
- Re: [Acme] I-D Action: draft-ietf-acme-ari-03.txt Aaron Gable
- Re: [Acme] I-D Action: draft-ietf-acme-ari-03.txt Carl Wallace
- Re: [Acme] I-D Action: draft-ietf-acme-ari-03.txt Salz, Rich
- Re: [Acme] I-D Action: draft-ietf-acme-ari-03.txt Salz, Rich
- Re: [Acme] I-D Action: draft-ietf-acme-ari-03.txt Rob Stradling
- Re: [Acme] I-D Action: draft-ietf-acme-ari-03.txt Aaron Gable