Re: [Acme] I-D Action: draft-ietf-acme-ari-03.txt

Aaron Gable <> Tue, 27 February 2024 05:25 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id D658DC18DB9B for <>; Mon, 26 Feb 2024 21:25:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id GF_BV_cDaY6e for <>; Mon, 26 Feb 2024 21:24:57 -0800 (PST)
Received: from ( [IPv6:2001:4860:4864:20::31]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by (Postfix) with ESMTPS id 61E49C1782B5 for <>; Mon, 26 Feb 2024 21:24:09 -0800 (PST)
Received: by with SMTP id 586e51a60fabf-21fa97a9c53so1665693fac.3 for <>; Mon, 26 Feb 2024 21:24:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=google; t=1709011448; x=1709616248;; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=bLor3VvDNnB++xaiNc//I/5mIkvHSNePLfGbR2yeLyU=; b=YFoO3ioz8G8ohUvWsFc2Y+CiQ2j7pN6it0SG5kbgIS6ac6GMgZDLRZIWHYY+/rgULE DeFYf7Nel8+ngcc0o7lGTU2VS0ygv4kbuXGlSJjMVcS0D5R9bd1jLLCQN1vriVV0TxUU 78DjCbHF7iOUlqrAPITACOrLCV4f8fpDHSTus=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20230601; t=1709011448; x=1709616248; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=bLor3VvDNnB++xaiNc//I/5mIkvHSNePLfGbR2yeLyU=; b=j+o2/TAQNAnZPlUw8AvWX2RRkvIylIxFmHtDngeH4iw97TT36H483kqk8kUxxXN+Es M6knWM4q6Eb6B9cQ2YgwXM3W7/1j0dpjvkB8GAPFgsiTq/HgFgQ5emD/jWgJ5NS0W8Mc 5Jbw3mHyXiTO0r/eL81dyuc9ZLOuGwNJxVrElFg62TkF5+RSLl7O2BrEkddO9K0PjXuR FO4E7bcVPD9gqbT4ffw4/QJnzwfuijETtjnalERt/Ztx25kZXc9ZambhkwFAyZwMw0Sf q3RzfThv0PhIx/4J6w9Go8RXl6JBzTsCjQOvGftRbC+MmdcQXkBF1v75x/OflHLqpFKx X4Mg==
X-Gm-Message-State: AOJu0YxJMitD02K+2FAd2dAIo1is47lSLeEaVLgCCuAe7kk5te6XcKPu U9c4Q7eRNYnuYJhw5zG4a4IffjjtCiA4F3e+0ay2JfYhahGRCvLChgxSRhgOkZlLov8BwMwHSqc rHL1ljisSjS6iwR+FT0q7M04bFJt59UFsxeQi7g4jiQTibQaC4O4x3A==
X-Google-Smtp-Source: AGHT+IEs94YVbjnxM8hTKvRJo7XFLnQWwb+uecsBvbmeL6Wma8MGzrsMvuzXMjSUv/DB3N8XA4HD728qzvytziyFWbg=
X-Received: by 2002:a05:6871:58f:b0:21e:b695:dff5 with SMTP id u15-20020a056871058f00b0021eb695dff5mr10188519oan.20.1709011448259; Mon, 26 Feb 2024 21:24:08 -0800 (PST)
MIME-Version: 1.0
References: <> <>
In-Reply-To: <>
From: Aaron Gable <>
Date: Mon, 26 Feb 2024 21:23:57 -0800
Message-ID: <>
To: Carl Wallace <>
Content-Type: multipart/alternative; boundary="0000000000004a7c160612563c74"
Archived-At: <>
Subject: Re: [Acme] I-D Action: draft-ietf-acme-ari-03.txt
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Automated Certificate Management Environment <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 27 Feb 2024 05:25:01 -0000

On Mon, Feb 26, 2024 at 4:36 AM Carl Wallace <>

> Two comments on the third paragraph of section 4.1:
> - The addition of section identifiers for the references makes the
> sentences harder to read. Maybe wrapping the section identifiers and
> reference in parentheses.

Thanks, this feedback is appreciated. I've gone back and forth a lot on how
best to do these references, and tried a bunch of different things, and
this was my favorite phrasing so far. Unfortunately putting them in
parentheses causes the resulting sentence to not read in plain English,
unless I'm misunderstanding your suggestion?

> - The preparation of the URI uses the keyIdentifier field of
> AuthorityKeyIdentifier. That field is optional. What should occur if it is
> absent (or if AKID is absent)? Given 5280 requires uniqueness for issuer
> name and serial and the issuer field is not optional, would the issuer
> field make for a better target than AKID? If this mechanism only applies to
> certs that conform to a profile that requires presence of key identifier in
> the AKID extension, state that up front.

This is a very interesting point. RFC 5280 requires both that the AKID
extension be present and that the keyIdentifier field be present
within it (Section <>:
"The keyIdentifier field of the authorityKeyIdentifier extension MUST be
included in all certificates generated by conforming CAs to facilitate
certification path construction."). So it's not obvious to me that the
issuer name + serial uniqueness is any *more* required than the existence
of the keyIdentifier field. Do other members of this list think that using
some form of the Issuer Name bytes would be better than using the

Thanks again,