Re: [Acme] WG last call for draft-ietf-acme-email-smime-06
Ben Schwartz <bemasc@google.com> Sat, 02 May 2020 18:11 UTC
Return-Path: <bemasc@google.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3780A3A1763 for <acme@ietfa.amsl.com>; Sat, 2 May 2020 11:11:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.599
X-Spam-Level:
X-Spam-Status: No, score=-17.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MGHunFqndqnD for <acme@ietfa.amsl.com>; Sat, 2 May 2020 11:11:16 -0700 (PDT)
Received: from mail-wr1-x433.google.com (mail-wr1-x433.google.com [IPv6:2a00:1450:4864:20::433]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EA8133A1764 for <acme@ietf.org>; Sat, 2 May 2020 11:11:15 -0700 (PDT)
Received: by mail-wr1-x433.google.com with SMTP id d15so15835766wrx.3 for <acme@ietf.org>; Sat, 02 May 2020 11:11:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=kGYuFcCgJAuB1rtJLCbnxBzw3+rzhlhIHv3HnTbe6Xw=; b=ktMzLuzB24aOlDPBwyrVppdvgPxerJzRoQd8SB+5G9pG0FNSBgMNScyb092rJaZKt8 XWcc1jpjTSATYzUA04I+za4sul8jOLB9VHTQib4mhGWjEUe7toAQFthu9UXrz0CIw50r ChsreMioUGC6JUanu4tFrvUluTJz5F6ahQiLupbD0sB5pRBQBAkQbSPBdttpPYrhM2JZ xXQ1t17uEGVWu6KClBVobXIlZnfX9GbQKerpAXnsnoWMp5HWJrnmfbRb69P2hIDgSi63 keCf0DX98/GOd3b8JrMwbUUzESy9dUy2Uat5mogSbY0YdDHokPJPBYCuM48axZaJQz7F eFWg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=kGYuFcCgJAuB1rtJLCbnxBzw3+rzhlhIHv3HnTbe6Xw=; b=qMCaJ6kHQle8hyhT4iVkrRcMllU/bnok+I7jTgjslNL1u6TgCkaXE8DMYy1h0FQkUF moa0sxvxN7xUa+Iht3RZAfZfVuS8P9wYJ+DChN9L7Ox3mYgGAfIdGJgwzRpxVvkG9vDZ tcTh0InD64MO5bmNtXsPvVvmGBQTfUtmxcmWgriL7c4ggeW2Bl9MKaVFUSkIz8OHfQU1 9Pl5A/hE3Wdrb2ZX/e1JIXF4n/oJjorkFqYc3IPh02ohpBx9ndFaMJbPR07oTveAQmez hbfCH75Ix3rS9RgT8m2Gf6qtUq7syRnLYd2coTDH9krROvH1lxqVpphJSj7V9KlWY1Vw jkyQ==
X-Gm-Message-State: AGi0PuansM+FPV8ZTrgA1vO+OHb5m32Mc2bIc3HLrIa5URIr+mr9vcTq fqZ04st7a4ZlPhIw/JUz8GdH959C2OZSWIAOKl/lrw==
X-Google-Smtp-Source: APiQypJqovDOlDziYcH0EqdT1IwKveO5zUIvswCgIgBIma/x2mEoRFxqiqqLRTpHJbCgNdyLoG9CkxKD/Q8DTULDVSM=
X-Received: by 2002:adf:814a:: with SMTP id 68mr1414711wrm.177.1588443073897; Sat, 02 May 2020 11:11:13 -0700 (PDT)
MIME-Version: 1.0
References: <3703708B-4454-4AC9-87AF-961C73B1F331@akamai.com> <CAHbrMsDco31pxyBMBSdbgh5aMnttyC1G_tDTg1tz-aAzto=5dw@mail.gmail.com> <fee01750-7afb-02a7-50ee-30453805abec@isode.com> <CAHbrMsAdXvpRt2zCUn7DLNerxhZCFe4pS0TM1qzmaCUGKVYT=A@mail.gmail.com> <e188baf1-ff9f-7897-1bcb-baa94fb8ce2d@isode.com>
In-Reply-To: <e188baf1-ff9f-7897-1bcb-baa94fb8ce2d@isode.com>
From: Ben Schwartz <bemasc@google.com>
Date: Sat, 02 May 2020 14:11:02 -0400
Message-ID: <CAHbrMsDsW+EwGx0qzfqXn7qntB4_LqyN7jrLdkH66STeL6D02Q@mail.gmail.com>
To: Alexey Melnikov <alexey.melnikov@isode.com>
Cc: "Salz, Rich" <rsalz@akamai.com>, "acme@ietf.org" <acme@ietf.org>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="00000000000033502505a4ae39eb"
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/mRcJkLlAnsAxBfLOWdJMQ45TRao>
Subject: Re: [Acme] WG last call for draft-ietf-acme-email-smime-06
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 02 May 2020 18:11:20 -0000
On Sat, May 2, 2020 at 8:35 AM Alexey Melnikov <alexey.melnikov@isode.com> wrote: > Hi Ben, > On 21/04/2020 01:12, Ben Schwartz wrote: > > > On Wed, Apr 1, 2020 at 5:40 AM Alexey Melnikov <alexey.melnikov@isode.com> > wrote: > >> Hi Ben, >> >> My apologies for missing your email in March: >> > > And mine for this delayed response. > >> On 12/03/2020 20:42, Ben Schwartz wrote: >> >> Section 3 says token-part1 "contains at least 64 bit of entropy", but >> Section 3.1 says token-part1 "MUST be at least 64 octet long after >> decoding". Is this difference deliberate? >> >> No, I obviously made a typo when saying octets. I will fix. >> > Fixed. > > Also 64 octets of entropy is a _lot_. RFC 8555 says "the token is >> required to contain at least 128 bits of entropy". >> >> The draft seems to be oriented entirely toward use with e-mail clients >> that have a built-in ACME-S/MIME client. I'm a bit disappointed that the >> draft doesn't accommodate users with "naive" email clients very well, e.g. >> by allowing customized subject lines. >> >> Actually, I was trying to accommodate naive email clients, but it was a >> fine balance trying to specify minimal requirements. >> >> Can you suggest some specific text to change and then we can discuss >> whether or not it should be done? My thinking about the Subject header >> field was that I wanted to have a unique subject (so that ACME email >> messages are easily findable). I also wanted to allow the token in the >> subject for APIs that can easily access Subject and not other header fields. >> > In that case, I would suggest "... subject ending with "(ACME: > <token-part1>)", where ...". That would allow the first part of the > subject (most likely to be seen by a human) to be human-readable. > > After thinking a bit more about this: > > As ACME servers are generating ACME challenge emails, the requirement on > them is stricter (they create the first message in an email thread). I am > tempted to leave this as is. Can you think of a case where ACME servers > would be unable to comply with this restriction? > My concern is that users will not know what to do if they receive an email whose subject line is "ACME: awlkNSdpijawrfz...". Users are used to seeing emails whose subject line is "Please verify your email address" or "Confirm your email". (My inbox is full of them.) I see no reason to disallow that here. Mandating that the subject line be non-human-readable seems like an unnecessary barrier to adoption. > ACME responses already allow arbitrary prefix to accommodate naive clients. > > Similarly, for Section 3.2. Point 6, I would relax the requirement to > state that this block must appear somewhere in the body. That way, if the > user sees the response message, it can provide some explanation of what is > going on. > > Good idea. Changed. > > For Section 3.1 Point 5, I don't understand why the body is restricted to > text/plain. In particular, I think hyperlinks to explanations and > instructions are likely to be helpful. I also wonder whether support for > multipart/multilingual could be useful. > > The body is irrelevant to ACME-aware clients, so it seems like there could > be a lot of freedom in how this is constructed. > > This is true for the challenge email. > Yes, that's what I was referring to. > There is a requirement on S/MIME (if used) to provide header protection, > but I agree that otherwise the body structure can be pretty flexible. > > Most email clients automatically convert HTTPS URLs to hyperlinks, which > should make the silly schemes I'm imagining possible, but not very > attractive, for ordinary users. > >> Best Regards, >> >> Alexey >> >> I assume this is deliberate, perhaps because of a desire to use short-TTL >> S/MIME certificates that would be impractical to provision manually, but >> the draft doesn't mention a rationale. >> >> On Thu, Mar 12, 2020 at 2:52 PM Salz, Rich <rsalz= >> 40akamai.com@dmarc.ietf.org <40akamai.com@dmarc..ietf.org>> wrote: >> >>> This mail begins a one-week working group last call on >>> https://datatracker.ietf.org/doc/draft-ietf-acme-email-smime/?include_text=1 >>> >>> >>> >>> If you have comments or issues, please post here. >>> >>> >>> >>> If anyone wants to be a document shepherd, please contact the chairs. >>> >> Best Regards, > > Alexey > > >
- [Acme] WG last call for draft-ietf-acme-email-smi… Salz, Rich
- Re: [Acme] WG last call for draft-ietf-acme-email… Ben Schwartz
- Re: [Acme] WG last call for draft-ietf-acme-email… Salz, Rich
- Re: [Acme] WG last call for draft-ietf-acme-email… Ryan Sleevi
- Re: [Acme] WG last call for draft-ietf-acme-email… A. Schulze
- Re: [Acme] WG last call for draft-ietf-acme-email… Salz, Rich
- Re: [Acme] WG last call for draft-ietf-acme-email… Alexey Melnikov
- Re: [Acme] WG last call for draft-ietf-acme-email… Ben Schwartz
- Re: [Acme] WG last call for draft-ietf-acme-email… Alexey Melnikov
- Re: [Acme] WG last call for draft-ietf-acme-email… Ben Schwartz
- Re: [Acme] WG last call for draft-ietf-acme-email… Ryan Sleevi
- Re: [Acme] WG last call for draft-ietf-acme-email… Ben Schwartz
- Re: [Acme] WG last call for draft-ietf-acme-email… Alexey Melnikov
- Re: [Acme] WG last call for draft-ietf-acme-email… Alexey Melnikov
- Re: [Acme] WG last call for draft-ietf-acme-email… Salz, Rich