IETF Logo Mail Archive

[Acme] comments on: draft-ietf-acme-integrations-03.txt

Deb Cooley <debcooley1@gmail.com> Fri, 19 March 2021 10:46 UTC

Return-Path: <debcooley1@gmail.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DE69B3A0DD8 for <acme@ietfa.amsl.com>; Fri, 19 Mar 2021 03:46:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.848
X-Spam-Level:
X-Spam-Status: No, score=-1.848 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id P6xqtFoe2cP5 for <acme@ietfa.amsl.com>; Fri, 19 Mar 2021 03:46:31 -0700 (PDT)
Received: from mail-ot1-x32d.google.com (mail-ot1-x32d.google.com [IPv6:2607:f8b0:4864:20::32d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 596513A0DFF for <acme@ietf.org>; Fri, 19 Mar 2021 03:46:31 -0700 (PDT)
Received: by mail-ot1-x32d.google.com with SMTP id l23-20020a05683004b7b02901b529d1a2fdso8060539otd.8 for <acme@ietf.org>; Fri, 19 Mar 2021 03:46:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to:cc; bh=V2DPi7q1PGG8LJHZ3hrwZFpiS6qZbU4JKIa2Ap9qPBA=; b=ShXtMv0ngLhJ3HFmNBtAPIyvuzfVS7mZDRweMOhn/SIXgT9ky7YP+8UrfFBHOFftjc yWcu/RHb1nBe2VWcMM7s3tfeuAQJrevn2MCka4CwXPu7aL/smFKqzJZtd7x/endcF9Vr HWgd4O7ZGDdfpmBjrZsUcAC/zccwZ4MBSuXtrnTDG+S2Rx3C44B//3+jKUPtIABBQISX Pf2S+CaWZ4PIngXI2s7QH7dbiBdaWevcT8stBFmk+ZHunB+qUar7Pc8q6BGa1GlXSSzi gJDPG0Noskyt/RbYzz1nmhEE7QvOZ7wcbS0QWJ0Ity6wrlgeHlgKKRB/W46Ydy4Djyu8 PU4w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=V2DPi7q1PGG8LJHZ3hrwZFpiS6qZbU4JKIa2Ap9qPBA=; b=a8uRmTaENbi4I36jnF1b1jh4uKT1qf8ZHaMbnZRo8dK0xbcQI/CM05iQr9dkXck+Xt 0Qm0r+hM77xFqBeE6OXt246VuhlOI4PXErrXDs4EYcMTfRcAYtcbwP6s++Wszuf5qP12 86Cb7oRJzvxSIMVh6qT/kkOH3obkVcqHCPC/rTrxR886OrR+bRQ5+57yXmdtYhzC7LKn XXvXTaNlOAEkbLnkRTNoQXoGr1AZqZIKyFPc8jhWKrnN2Nyg4iJqIDcMNp/jQ+5HRpTz W5oquxiNGD8YcaY1NtZHWLKdcCm7aqoGcNWcXLtOGKM3o9rf463dDyzdQqJEfBF3VEas YFUg==
X-Gm-Message-State: AOAM533qDSqNviKhJjp+yYSBqJXqfy6VmvJahl2N8YJNNj84LVLA41Cw iy8C5aTp+FErItIc0l9kzDufxSRnaqi1UVpy77TmVtHrHIAG
X-Google-Smtp-Source: ABdhPJwyosK/0iLALtHyVEVePFUsAKuVlpqbbFDyU/cLE/PsD8THfrza2OoNUbmmbi7E41HbHUjj/yptR/RxJBWqsBs=
X-Received: by 2002:a9d:565:: with SMTP id 92mr636391otw.109.1616150789556; Fri, 19 Mar 2021 03:46:29 -0700 (PDT)
MIME-Version: 1.0
From: Deb Cooley <debcooley1@gmail.com>
Date: Fri, 19 Mar 2021 06:46:19 -0400
Message-ID: <CAGgd1Od3apxOznaSdBqg-y+Ut=amR3jPrzBdOXfzPV=AHq6Rww@mail.gmail.com>
To: acme@ietf.org
Cc: "Cooley, Dorothy E" <decoole@nsa.gov>
Content-Type: multipart/alternative; boundary="000000000000b70ba105bde16dfd"
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/nZU7oOtJciO_DfU134jQ_t1PPR8>
Subject: [Acme] comments on: draft-ietf-acme-integrations-03.txt
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Mar 2021 10:46:37 -0000

I thought this draft was pretty easy to follow, and I just have a few minor
comments.  Note:  I am probably reviewing this from the point of view of an
integrator (maybe?) definitely not as a device developer, and not as a CA
developer.

Section 1, sentence after bullets and Section 4, paragraph 1:  Section 1
used “enrolment” while Section 4 used “enrollment”.  Pick one.  Use it
everywhere.

Section 3, 4 and 5 call flow:  both cases show the ACME CA returning a PEM,
while the EST RA returns a PKCS#7 to the device.  Is this intentional?  Are
you expecting the EST Server to convert the certificate from PEM to PKCS 7,
and is the PKCS7 a .p7b or .p7c.  [note:  these are trivial conversions,
but they are also very confusing to most people]

>From an architecture point of view, do you expect the EST Server to be run
by the requesting organization?  Or by the CA owner – or is this not even
possible?  [from a ‘domain control’ point of view]

Again architecture:  If the EST Server sits in front of a large
organization, then domain validation is more interesting, and the Get
/csrattrs may or may not be able to recommend a SAN, right?  I can see that
policy oids could be provided, if that is a thing in these systems.  [we
use policy oids in US DOD, but that is possibly uncommon elsewhere.]

Section 8.1, para 3:  What does ‘The cache should be keyed by the complete
contents of the CSR’ mean?  The word ‘keyed’, I think, is the problem.  Maybe
‘indexed’?  Unless the cache is encrypted?


Deb Cooley, NSA

v2.23.0 | Report a Bug | By Email