IETF Logo Mail Archive

Re: [Acme] AD Review of draft-ietf-acme-integrations-10

"Owen Friel (ofriel)" <ofriel@cisco.com> Fri, 25 November 2022 18:38 UTC

Return-Path: <ofriel@cisco.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5D749C1524A8 for <acme@ietfa.amsl.com>; Fri, 25 Nov 2022 10:38:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.599
X-Spam-Level:
X-Spam-Status: No, score=-14.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=YCJ8adpH; dkim=pass (1024-bit key) header.d=cisco.com header.b=TDxbnDkr
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JFbG6B6W9-tN for <acme@ietfa.amsl.com>; Fri, 25 Nov 2022 10:38:36 -0800 (PST)
Received: from alln-iport-7.cisco.com (alln-iport-7.cisco.com [173.37.142.94]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3026EC1524A5 for <acme@ietf.org>; Fri, 25 Nov 2022 10:38:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=3661; q=dns/txt; s=iport; t=1669401516; x=1670611116; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=8DkT69mBRl3J437S+hZccyroUU06m3TUUBdcz3FdxxA=; b=YCJ8adpHSFbluSGEEgl2ww4VL+CG22eLxpbgVtY6bkaWLIjq7k4iMOy1 MZuEqStXJkgYzcxG5zcdTUskgUC77Qos8JuGvmZ9FNwzyJKyszy4B41u5 dzu4RAhrnwoUIGbzbz709plzIbd3XBtQOReRiqak7Ee3rRFHrLpF+R0Tz A=;
X-IPAS-Result: A0AlAABRCoFjmIENJK1UBh0BAQEBCQESAQUFAUCBOwgBCwGBWlKBAgJZOkWIGgOEUF+Fd4IlA5B/iwaBLIElA1YPAQEBDQEBOQsEAQGBUgGDMgKFBwIlNAkOAQIEAQEBAQMCAwEBAQEBAQMBAQUBAQECAQcEFAEBAQEBAQEBHRkFDhAnhWgNhlMBAQEBAxIVEwYBATgLBAIBCA4DBAEBHxAyHQgBAQQBEggaglsBgyIDAQ+hXwGBPwKKH3iBATOBAYIIAQEGBASfHAMGgUABj3CBHyccgUlEgRVDgmc+gmICgUgIEoQOgi6OfYlmNwNEHUADC20KQxQHWA4JHxYGDhcNBQYSAyBGJgVBDygvZCscGweBDCoJHxUDBAQDAgYTAyICDSkxFAQpEw0rJ28JAgMiZQUDAwQoLAMJIAQcBxYRJDwHVhIoAQQDAg8gOAYDCQMCIlV+JSYFAwsVJQgFSwQIOQUGUxICChEDEg8GJkUOSD45FgYncw4OEwNdgWgENUiBKQoCXplqgQuBJIEKVQQdEiQiJFI1Ex0WLJJXE5IOnXoKg2iLTpUjFqg6Xpc0II0jlExLhHUCBAIEBQIOAQEGgWI6gVtwFYMiUhkPjiAZg1mKXnU7AgcLAQEDCYoEXgEB
IronPort-PHdr: A9a23:lMyDgh9WNWPI3v9uWCXoyV9kXcBvk7n3PwtA7J0hhvoOd6m45J3tM QTZ4ukll17GW4jXqpcmw+rbuqztQyoMtJCGtn1RfJlFTRRQj8IQkkQpC9KEDkuuKvnsYmQ6E c1OWUUj8Wu8NB1eGd31YBvZpXjhhQM=
IronPort-Data: A9a23:TWghUa8+JAzRwnXW13QrDrUD/n6TJUtcMsCJ2f8bNWPcYEJGY0x3y DcYDD2EPvfcZGX9c9p/bNi18UsC7JOHztM3SVM++HhEQiMRo6IpJzg2wmQcns+2BpeeJK6yx 5xGMrEsFOhtEjmE4E3F3oHJ9RGQ74nQLlbHILOCa34ZqTNMEn9700s6wbNh2eaEvPDga++zk YKqyyHgEAfNNw5cagr4PIra9XuDFNyr0N8plgRWicJj5TcypFFJZH4rHpxdGlOjKmVi8kFWc M6YpF2x1juxEx7AkbpJmJ6jGqEBaua60QRjFhO6VoD66iWuqBDe3Y5gGcA2dWRvqw6mhv1Ik OcOmIe1RRU2a/ikdOQ1C3G0Egl3OalAvbTAO3X64IqYzlbNdD3nxPAG4EMeZNJDvL0pRzgVs 6VCeVjhbTjb7w6y6LW1UOhhguwoLdLgO8UUvXQIITTxVKZ+HsufGPuiCdlw0xI3hJxCPq/lY s88Mx93bCqbRQRJAwJCYH45tL742iagG9FCk3qcrq86y2ne0AI316LiWPLPdtCiTshPggCfv G2uwojiKhgeMNrawj2f/zf9wOTOhij8HokVEdVU68KGnnXI61Y5FD4udWCUuNSA0nz9dslaJ 14Lr39GQbcJyGSnSdz0XhudqXGCvwIBV9c4LwHcwFzQokYzy1vEblXoXgKte/R975ZvGmJCO kuh2oK3W2M+6dV5XFrHrt+pQSWO1T/5xIPoTQYASQYDizUIiN5u1kuUJjqP/VLcszEYMTj0x zbPpy8kivBCy8UKzK68u1vAhlpAR6QlrCZot207vUr8sWuVgbJJgaTztTA3Ct4bdu6koqGp5 iRspiRnxLlm4WuxvCKMWv4RO7qi+uyINjbR6XY2QcdwrG3xpST8Jt8BiN2bGKuPGptUEdMOS BKD0T69GLcIVJdXRfYtOtnoW5hCIVbITIy1Dpg4keaikrAoJFPYo0mClGab3nvmlwA3gLojN JKAGftA/l5EYZmLOAGeHr9HuZdyn3hW7TqKGfjTkU/9uZLAPyH9dFvwGAbUBgzPxPna8Fy9H hc2H5bi9iizp8WiPHeOrdFNdzjn7xETXPjLliCeTcbbSiIOJY3rI6a5LW8JE2C9o5loqw==
IronPort-HdrOrdr: A9a23:0P2UJKBpok/+hCblHegRsceALOsnbusQ8zAXPh9KJyC9I/b2qy nxppgmPEfP+UsssQIb6Ky90c67MD7hHP9OkMMs1NKZPTUO11HYVb2KgbGSoQEIXheOjNK1tp 0QP5SWaueAdWSS5PySiGLTfrZQo+VvsprY/ts2pE0dKT2CHpsQiTuRfTzrdXGeKjM2YKYRJd 653I5qtjCgcXMYYoCQHX8eRdXOoNXNidbPfQMGLwRP0njAsRqYrJrBVzSI1BYXVD1ChZ0493 LergD/7qK/99mm1x7n0XPJ5Zg+oqqu9jIDPr3MtiEmEESutu+aXvUiZ1REhkFxnAib0idrrD ALmWZlAy080QKXQoj/m2qT5+Cp6kdR15al8y7fvZMmyvaJHA7TzKF69Ntkm1LimjsdlcA536 RR022DsZ1LSRvGgSTm/tDNEwpnj0yuvBMZ4KcuZlFkIPwjgYVq3Poi1VIQFI1FEDPx6YghHu UrBMbA5OxOeVffa3zCpGFgzNGlQ3x2R369MwM/k93Q1yITkGFyzkMeysBalnAc9IglQ50B4+ jfKKxnmLxHU8dTZ6NgA+UKR9exFwX2MFrxGXPXJU6iGLAMOnrLpZKy6LIp5PuycJhN15c2kI SpaiItiYfzQTOaNSSj5uw4zvmWehTMYd3E8LAs26RE
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="5.96,194,1665446400"; d="scan'208";a="18073436"
Received: from alln-core-9.cisco.com ([173.36.13.129]) by alln-iport-7.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 25 Nov 2022 18:38:35 +0000
Received: from mail.cisco.com (xfe-rcd-004.cisco.com [173.37.227.252]) by alln-core-9.cisco.com (8.15.2/8.15.2) with ESMTPS id 2APIcYmp030767 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=OK); Fri, 25 Nov 2022 18:38:35 GMT
Received: from xfe-rcd-005.cisco.com (173.37.227.253) by xfe-rcd-004.cisco.com (173.37.227.252) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.9; Fri, 25 Nov 2022 12:38:34 -0600
Received: from NAM12-BN8-obe.outbound.protection.outlook.com (72.163.14.9) by xfe-rcd-005.cisco.com (173.37.227.253) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.9 via Frontend Transport; Fri, 25 Nov 2022 12:38:34 -0600
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=BCJkXT6gUODHekpnaViOulNnllV9TkkpFhMeLXZSSpOtbzmh7drs4WyG+HY7LVhRxxVKRVIwB0YANCV3qxkkpPzcRndA/vEqhsEPsu/i3wZgXeFZEjNOK42yfHeL2/7oilJA6pbBdQYXNQW2UBz1EQ0ZL8/DkhyUXHS4daUV2IKlIEgWQvVoYtb/FmU0suhIjjJEJqPq3jCzf2txclfHWFQuw402+iS10EbIxcfrcjs4T8itWUgPJEkUOc4TR08cx+WURppDbnyQGzdrZ5sJcRauYzGFfQSJsyHzfB0KoTGbVqMr5B8NzZiHZm9FsgUKvekWeyWdy+B7cS2cwzBm2Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=1DMwV2aqWaBDN2JBQ/5QM+cgxrCeHPhqtEdm2jX7Iyc=; b=AlaJZaK5r2OyaOcxblF7EHu7imMwrEwi8GzjDl5eo37K9dIAqu63G2XGdBFsy1l6MLkI8bQUPZEDHJUfrAtG25bLWGlKPY7IgoZ5qeqB1TwXOMMtmAgSB+sJgcU7gPv58dNQfiLOkQDKCm4dALzj4Lvod2iC7apNqIfNe1qDMBESa1JUcG5xj8BuYJv+59oQlTXJ+drVwDIt6Q5XlIRJk6+kz139PJRaLbrChd33SCtAozHjVKmPYtkXuEUUSiFpFjZeVImkcltTxalSHFRMXFfdgF/sZ2OoBPqPkdgIJRAcOGZzNPHQB8wxd8Sl688o//9UYRgQNbwzWl7cqFrbvg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=1DMwV2aqWaBDN2JBQ/5QM+cgxrCeHPhqtEdm2jX7Iyc=; b=TDxbnDkrKFgQvncqoBzZ1b3HZk2DMOlHr59BIcZ4zC8HWmszhaqDu1Bcpvx1W2tna9inPRoRYdGX6ceo+prikaJXhfz3kk1gB9woFkr99gnKRzwr93pdSUsfUFRoFbskxqa8lJ3ytuuEkx2pL1fxMFYTnDTDpM2keaoUAescZ5Y=
Received: from DS0PR11MB6445.namprd11.prod.outlook.com (2603:10b6:8:c6::11) by SJ0PR11MB5662.namprd11.prod.outlook.com (2603:10b6:a03:3af::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5857.19; Fri, 25 Nov 2022 18:38:32 +0000
Received: from DS0PR11MB6445.namprd11.prod.outlook.com ([fe80::c639:bd8d:70da:23fe]) by DS0PR11MB6445.namprd11.prod.outlook.com ([fe80::c639:bd8d:70da:23fe%5]) with mapi id 15.20.5857.020; Fri, 25 Nov 2022 18:38:30 +0000
From: "Owen Friel (ofriel)" <ofriel@cisco.com>
To: Roman Danyliw <rdd@cert.org>, "acme@ietf.org" <acme@ietf.org>
Thread-Topic: AD Review of draft-ietf-acme-integrations-10
Thread-Index: AdjrPruitEh6JfQpT0ixbqxUa1XkTgVtpX2w
Date: Fri, 25 Nov 2022 18:38:30 +0000
Message-ID: <DS0PR11MB644553A6F06DC0F0A07790D7DB0E9@DS0PR11MB6445.namprd11.prod.outlook.com>
References: <BN2P110MB1107AABEF961B556BB60B00BDC359@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM>
In-Reply-To: <BN2P110MB1107AABEF961B556BB60B00BDC359@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cisco.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: DS0PR11MB6445:EE_|SJ0PR11MB5662:EE_
x-ms-office365-filtering-correlation-id: 5216e1c3-a99a-4025-4063-08dacf144027
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: +hTfb+0oeSn5lg9lO/CmW6VUII4WLtgW9u4LmMObBNVTx3c8eY9KxMcExw0arM6HFbE7FdZp6svtAd2q4Fq7znfDWh45bHNe0oKT8pboSBahAp7T2j5v7hVSmvRFBA+f7L6DKQFYVk0x4MNsCv0sG6mjrt2HCPgAZggeF1uO5VBxaWgT4260Rlc6ksa9qCEAWMkAknnKaJNylrtwr2FFFJAiCMRTKecfaGEDRFu4C4lU1iUw2ian1WiQT/sD5xUZZOyYbG2TevniuU63mX5DzFw0CYcQp0wBG/el00n/lDVJCbKu5QbKYz7UCSKvI4K469rGw1mYV0G8lAGvPeN4TYpvSbPl+8o4XzIE4pTvPslxn/qvNYBt4GkTSYWUdHcItVkDKt2BN1tn5wBnb7uvqkaG5IAfWEasLjS0dJObR9RKhGSF1jdbegeOZqDjWmgGWm5rSSafe23CyT2YzAu/XH094kQljfYdCMxWctphJt4BSIN5GpXZDMGpJE5Z/CaUcT/cfX9i+BJT21HDVoTTFXBnOCg0931sEIPh0NNaZoXFSQg4EDzQSDBRmL6kLTtdYxpoUmBxmGpypzmeVJ8TTK1Z76kxp68Tp1H/87fzEFjGX5j+JdlzPtBb5+z2mCAWHG19/tteIUWGKLq0OhHzCaXCLiP1CnYXGhoSVwahEN5e05zWOX8jEMrpSu4dWrfUdJ1TVezrU6W1KVc8MfqjEJXU/Q+BeHV222GiyakXcFU=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DS0PR11MB6445.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230022)(4636009)(396003)(39860400002)(346002)(366004)(136003)(376002)(451199015)(2906002)(122000001)(83380400001)(8936002)(41300700001)(6506007)(7696005)(110136005)(38070700005)(316002)(86362001)(33656002)(186003)(5660300002)(55016003)(53546011)(52536014)(9686003)(38100700002)(478600001)(76116006)(64756008)(71200400001)(8676002)(66476007)(66446008)(66556008)(66946007)(966005); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: bF2XY+lTgeBGNyFrE9W/CYU9SOMU+8j08AMJYknXOCU46sZsnjHfI841RGviWnlsW37R0SkR7wHTdibX0zrYss8r/KRUmUDCRhEW8D5WvLkmh5OhHw1mfrACmoZ6OGk46uKoQjKSNRjTbSdM5DRhzx5WykReyT6P4Wl1f5o8o2nuQoL7etW4UPuwgmWwUF+cYtjMOMNUyuGXBXa79a5PGgxpujKDFv4mnJvfUxf7+6levaSTO798vOxCYLa+8J1F1n34whteqD2lTn7Pn1ijnFIUTI6aAMcYGvSP3Hh6ImKMXU92L39z3F02REtizFPJNgcMEI//WIC6B1MRkGjIHTBORlf55965ge7UKtK+S/2MrqtUD7DUluSop7JogoYASTz2V4HvcGEF4/TgmVfJ4Wlh8eYl0Dqlb7l6B3dAvVaPsfk+TVg559Au1BaTf6BQie8mNLvmavo2qJyUwbgYQ+wEWKIqNSvW3L7mbA/9jPqPRIxf1ABsNN+EY5xQ2JiKJ16+EKMcZZu7IFhuk+7tn9t0F0FywTOqspBMm71BoLmAc8sXYse7biMCtErufxZ8RQWsos+RizdnaCacMu/QcsUPJy6VtsDneTDIJY9F6QPkfJuuR5CxMOXgeiCCYk5EomtCCWP1orT/d76S9IIsfP0i/LbkqDwvOtFyc4r9HyRTzqr1eVBtWWZD8/FPVY46Nm1yDXejCjnMhtzxfnUqi4MJv3DP1mG+LZpoQfPwCEzXVJ6cmJUlC/pP6r/8AKGQMfDBQhXK4vDYoTnJo2XeioEURfixHTdpkqCt2eKzAAUkL9BMQTs3AKsnhcVzkh9tKsQ5k0kvze4s/9A3EvWm8x/FXqS9LwOb3WiZfZ1PodNpiM+QCMTvdofItS2pSrPhm9mJcPR3xBuHqQFlLab0g50bW0fmTHIWzBUirOy/7LdhvHjGQT8FfrCKq2X62ta22bTw9jiFzRj9ChOJq+oR7kP9MljxiyiiUtBZ/aqZRYJjY6DIrL+3KOPA//aF515NdUH/ZafSFANMj9ve9BqKfLNHwzo12042t4NK4VpwgEr+x+bxYYbwVIInFI8KeBIRpfhxsHKMNvDARtJpHONcljrXXdbCormAIQPgfnbu8DUmYYOfcDC2PT5mihlAGQlyi9IXsZXs49ovEd4dMde99jcXmdWs6aQMMxSVpSqDv82RHsImhy7lcSa6rHxmutUeKxPy8BTJiYAATOhgVpBg5rgQVT7X85H3+h3FG9VwVAS5C8Kw+wW4478GoJLmLgWrVykEAQAMDn9wojQcUpDHn+sUC0KiMBKIi+TWNWrN9y0SCQ0GWVImCjF2hmIVvXkIpYc5YN3aDRr8MCszBwr5g8rwXWAGA1DBfP0iRrRDPPnfGEevhHs9FwN2HmXrtUgjYNaS2DcQzslpb5xlh895vKg+owC8vCjArh8nhJAXFx9Jt1q5HsGPilC2yeJgAnSsN55H/9Qw0M73BmTWAtvr2WsmBuF2uJtKsw9DhfOciXtKSaCsvdxs71piHTGE2mbIgqwiOdEkEzpeNtpdhD7Yo5gUBreraUPAiXX4Xn3d/voxFfwYLQbGoJft9dRYxvpxWRNsaoqmPGYMMi9nJEak3Q==
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DS0PR11MB6445.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 5216e1c3-a99a-4025-4063-08dacf144027
X-MS-Exchange-CrossTenant-originalarrivaltime: 25 Nov 2022 18:38:30.8331 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: AHPz/HTS6NS8IrDcec2hhdF+qIzOBeP/sPAVKWjgSmMUEWZ17o7GpzJHKRYSoGIckFfN69qJ40MQ4e+MDw900g==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SJ0PR11MB5662
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.227.252, xfe-rcd-004.cisco.com
X-Outbound-Node: alln-core-9.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/m6ZvxEwLy46yE9xRx1SZlArmuc4>
Subject: Re: [Acme] AD Review of draft-ietf-acme-integrations-10
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Nov 2022 18:38:40 -0000

Thank you Roman for the review and comments.

I created individual github issues for these comments and have committed fixes for most of them and closed the issues:  https://github.com/upros/acme-integrations/issues

There are three outstanding issues and I will comment on these inline below.

Regards,
Owen

-----Original Message-----
From: Acme <acme-bounces@ietf.org> On Behalf Of Roman Danyliw
Sent: Saturday 29 October 2022 03:34
To: acme@ietf.org
Subject: [Acme] AD Review of draft-ietf-acme-integrations-10


Hi!
I performed an AD review of draft-ietf-acme-integrations-10.  Thanks for this information document to should the broad applicability of ACME.  My feedback is as follows:


** Section 2.  Editorial.  The definition of subdomain uses explicit quotes around text from RFC1034.  However, label comes verbatim of RFC8499, why not quotes around it?

[ofriel] The quotes or lack of quotes is itself taken directly from the definitions in RFC8499. If you look at RFC8499, the definition of Label is not in quotes; however, the definition of Subdomain starts with a quote as it is pulling in text from RFC1034 into RFC8499. The text in acme-integrations aligns to the character with what is in RFC8499. Does this make sense?


** Section 6.  I don't have the full history on draft-ietf-eap-teap-brski.  However, it seems unusual to be effectively specifying an applicability statement for an expired, unadopted draft.  Is there significant usage of this draft in the field?  What's the motivation?

[ofriel] We / cisco are actively working on elements of draft-lear-eap-teap-brski, we just didn't get to updating at IETF115. It might make sense to remove the reference for now, but see next comment.

** Section 6.  Diagram

Step 2 is "Establish Outer Tunnel".  Isn't the last step of it the follow (i.e., the client responding back with the Result TLV= Success.

       |  EAP-Response/          |                      |           |
       |   Type=TEAP,            |                      |           |
       |   {Crypto-Binding TLV,  |                      |           |
       |   Result TLV=Success}   |                      |           |
       |------------------------>|                      

However, the following is being shown as the last step:

       |  EAP-Request/           |                      |           |
       |   Type=TEAP,            |                      |           |
       |   {Request-Action TLV:  |                      |           |
       |     Status=Failure,     |                      |           |
       |     Action=Process-TLV, |                      |           |
       |     TLV=CSR-Attributes, |                      |           |
       |     TLV=PKCS#10}        |                      |           |
       |<------------------------|                      

[ofriel] The reason this happens is yes, the client has successfully completed TLS handshake, but the server is explicitly instructing the client to do a CSR Attributes followed by a PKCS#10 cert enrol so that the client will enrol to get a cert that will allow it to access. E.g. the client may start the TEAP transaction with an IDevID, or with an about-to-expire LDevID, thus the server is telling it to get a new cert before it will grant access.

This behavoiur is not too clearly specified in RFC7170, but is clearer in draft-lear-eap-teap-brski. We could possibly drop draft-lear-eap-teap-brski reference and add further clarification in this document over and above what is in RFC7170.

v2.23.0 | Report a Bug | By Email