Re: [Acme] AD Review of draft-ietf-acme-email-smime-07

Alexey Melnikov <> Fri, 29 May 2020 16:38 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 5EEF93A0DA8 for <>; Fri, 29 May 2020 09:38:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id wLrX1FZSDaW5 for <>; Fri, 29 May 2020 09:38:57 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 14F913A0D42 for <>; Fri, 29 May 2020 09:38:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1590770335;; s=june2016;; bh=KryBi3tWEQtYXiH+RTHsMtNhMT9YB0MggBjPH00T2N4=; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version: In-Reply-To:References:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description; b=ZbqxjUMDFABpW50ex2JOUkpyRn4fiUOzBKYzi6E8CPJFKhOURmmBZC8kkLzwRCa1aXbcph 6LuaikGVwlMNqGBNY+0PSYjepn6bA4DOrr7xVJxBPeM4PerJPFNpjvNPw8jhbneyWmasT/ x2gaj/88NSYCj0N55iP+CN1/lFpNeJ4=;
Received: from [] ( []) by (submission channel) via TCP with ESMTPSA id <>; Fri, 29 May 2020 17:38:54 +0100
From: Alexey Melnikov <>
To: Roman Danyliw <>
References: <>
Message-ID: <>
Date: Fri, 29 May 2020 17:38:33 +0100
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.7.0
In-Reply-To: <>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-GB
Content-transfer-encoding: quoted-printable
Archived-At: <>
Subject: Re: [Acme] AD Review of draft-ietf-acme-email-smime-07
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 29 May 2020 16:38:58 -0000

Hi Roman,

Thank you for your detailed review.

On 22/05/2020 15:54, Roman Danyliw wrote:
> Hi!
> I completed my AD review of draft-ietf-acme-email-smime-07.  Thanks for the work on this document.  Here is my feedback:
> ** What was the thinking behind the document status being informational?
I don't think there was much thought or discussion of this point. I am 
flexible. I think when I started it was not very clear how much 
support/interest there were in this, but I noticed more interest over time.
> ** Section 3.1.  This section has no (normative) guidance on populating the To and From fields.

The To is the email address of the entity which requested S/MIME 
certificate issuance. I will clarify that.

There is no guidance regarding the From, as it is implementation choice. 
(I am not a fan of mandating specific email address for this, like 
postmaster@<domain>) Do you think this needs to be stated explicitly?

> ** Section 3.1.  Step 5.  Per "If S/MIME signing is used to prove authenticity of the challenge message, then multipart/signed or "application/pkcs7-mime; smime-type=signed-data;" media type should  be used", is there is a reason that this should is not normative (i.e., SHOULD)?
This is just restating requirements from other documents, but also 
emphasizing that both common alternatives are allowed here. I don't 
think this needs normative language.
> ** Section 6.
> -- Recommend explicitly naming the registries being updated
> -- Per the challenge type, all of the fields in the registry aren't described here
I will have a look at these.
> -- Per the challenge type, the text in Section 3 says that the challenge type is "email-reply-00" (not "email-reply" as described here)
Thank you for spotting this, I need to make sure that it is the same 
everywhere. I've  changed the document to say "email-reply" everywhere.
> I recommend something like the following:
> NEW:
> 6.1.  Identifier Type
> Per this document, a new type has been added to the "ACME Identifier Types" registry defined in Section 9.7.7 of [RFC8555] with Label "email" and a Reference to this document.
> 6.2.  Challenge Types
> Per this document, a new entry have been added to the "ACME Validation Methods" registry defined in Section 9.7.8 of [RFC8555].  This entry is as follows:
>             +-------------+-----------------+------+-----------+
>             | Label       | Identifier Type | ACME | Reference |
>             +=============+=================+======+===========+
>             | email-reply-00 | email              | Y    | This document  |
>             +-------------+-----------------+------+-----------+
> ** Section 7.  Per "Any claims about the correctness or    fitness-for-purpose of the email address must be otherwise assured", I don't follow the intent of this text.  For example, what is the "correctness ... of the email address"?  What is meant by "assurances"?
> ** Editorial nits:
> -- Section 3.  Typo. s/posession/posession/
I think you meant "possession". Fixed.
> -- Section 4.  As this document is now headed out of the WG, it seems like it should be removed.
> -- Section 7.  Typo. s/can can/can/
> -- Section 7. Editorial.  For readability, I would avoid nested parentheses.
> (by posessing user's password or a secret derived from it that can give read and reply access ("password equivalent" information), or by being given permissions to act on user's behalf using email delegation feature)
> (by possessing a user's password or a secret derived from it that can give read and reply access, such as "password equivalent" information; or by being given permissions to act on user's behalf using email delegation feature)


Best Regards,