Re: [Acme] Alexey Melnikov's No Objection on draft-ietf-acme-acme-14: (with COMMENT)
Richard Barnes <rlb@ipv.sx> Wed, 29 August 2018 16:31 UTC
Return-Path: <rlb@ipv.sx>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B298A130DF0 for <acme@ietfa.amsl.com>; Wed, 29 Aug 2018 09:31:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, T_DKIMWL_WL_MED=-0.01] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TLgw6felS7mt for <acme@ietfa.amsl.com>; Wed, 29 Aug 2018 09:31:56 -0700 (PDT)
Received: from mail-oi0-x22c.google.com (mail-oi0-x22c.google.com [IPv6:2607:f8b0:4003:c06::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2C243130DDE for <acme@ietf.org>; Wed, 29 Aug 2018 09:31:55 -0700 (PDT)
Received: by mail-oi0-x22c.google.com with SMTP id 8-v6so10273660oip.0 for <acme@ietf.org>; Wed, 29 Aug 2018 09:31:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=GWCmugMr7Ihi9m4raB61i6rZavCzc6XIrc0hqd68Ids=; b=dqho3SopSVIytBn7aOwcYExOOjhA77EXBS2+lQBxV1eu419kus0HPfONjffsdcTnC7 vnrOVjUBGzgTaFK7ejUnG71t+scekyqslYEAbBNI4nJW+EIaIZ92Rq0WD/+zD/gkJ/Oy im3DUtTlKTvXXCH1CWXG0Qs+TXCtV1szZU76EG4OscqyLj/ndeAWLfNhsZqwAFaJlrEL srhSAyfDhrzgoQCZgyoEUeMwTGIfIVwIBryH3EYecRx1g4G8z+ihkQavcqFv4byC3y1F iXmbIr/32DyijhyXinbGXamf5c9XjXtfxwx47gOzwSEYAKkIRcCYQIup9ZupbsXI3fXA AWdw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=GWCmugMr7Ihi9m4raB61i6rZavCzc6XIrc0hqd68Ids=; b=HqGDu/OHOoF2CkfsjJgsi6ydLvmq2chwKJ6GDfuVsG1gMz9IGaajGN/4o9uR2Ge4fW cBG65jjsw5m9WLtfvhJEqO2tatY144r9D8bHczL/Jdr3IiJKI3HHIbp0wNGPU3+Jr8vG OsMLjCJnpjZAJm4uIzm0Qt+Gi8XTzmLumZd7rD+nVxDbpsUw2kiOSbk86Aa0xGIzlSB+ Ad7Ne3ePT4nIewdb4dmmw0Jrz6AXhzHUrfFHhUukqzVEsqflyDgS41jRlI4AsB9tg/1e 6imSDLDgoapM3K8dtfmfFlXUfxCKuhPXSIcatnDUYymdWn3HOK7znggG5zK6GBmqX/Bw 9YtA==
X-Gm-Message-State: APzg51B2ElVisGkc7HzpgsO2AvlCsRYTofeknDwYyLETS1ChX4GjIBWj gD/2UiLXR9Gjz8zjoGiSxJlCJdudKm7Lp8jiLBdLpQ==
X-Google-Smtp-Source: ANB0VdZV4g2EoZJgpFuKzks4PxVRoBz5g9X83ieC6lSjyuf/NFcjL6d1xhNWzlZyHOEj7P+83b95Gxto8R1Xr1OFz0c=
X-Received: by 2002:aca:f189:: with SMTP id p131-v6mr3601495oih.14.1535560314376; Wed, 29 Aug 2018 09:31:54 -0700 (PDT)
MIME-Version: 1.0
References: <153554127552.14913.5752261334380280625.idtracker@ietfa.amsl.com> <CAL02cgRZsexAbNhwb08ROxTSYLqpJEJv2D9-s-sdkZx6SumPOg@mail.gmail.com> <bcff02b8-7dc9-9606-1e73-2b1ba3bb76e1@isode.com>
In-Reply-To: <bcff02b8-7dc9-9606-1e73-2b1ba3bb76e1@isode.com>
From: Richard Barnes <rlb@ipv.sx>
Date: Wed, 29 Aug 2018 12:31:42 -0400
Message-ID: <CAL02cgSCOnp4a_NnxzV+oufhooB1=QC6X5WSX=+_BpX0te0CGQ@mail.gmail.com>
To: Alexey Melnikov <alexey.melnikov@isode.com>
Cc: Alexey Melnikov <aamelnikov@fastmail.fm>, draft-ietf-acme-acme@ietf.org, IETF ACME <acme@ietf.org>, The IESG <iesg@ietf.org>, Yoav Nir <ynir.ietf@gmail.com>, "<acme-chairs@ietf.org>" <acme-chairs@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000011f0bd0574957fc7"
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/p9eETfz26LEUN-5bKQwBSewpRls>
Subject: Re: [Acme] Alexey Melnikov's No Objection on draft-ietf-acme-acme-14: (with COMMENT)
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Aug 2018 16:31:58 -0000
Updated the PR. Trimmed below. On Wed, Aug 29, 2018 at 11:26 AM Alexey Melnikov <alexey.melnikov@isode.com> wrote: > >> 6.4.1. Replay-Nonce >> >> The "Replay-Nonce" header field includes a server-generated value >> that the server can use to detect unauthorized replay in future >> client requests. The server MUST generate the value provided in >> Replay-Nonce in such a way that they are unique to each message, with >> high probability. For instance, it is acceptable to generate Replay- >> Nonces randomly. >> >> The value of the Replay-Nonce field MUST be an octet string encoded >> according to the base64url encoding described in Section 2 of >> [RFC7515]. Clients MUST ignore invalid Replay-Nonce values. The >> ABNF [RFC5234] for the Replay-Nonce header field follows: >> >> base64url = [A-Z] / [a-z] / [0-9] / "-" / "_" >> >> This is not correct ABNF. Change range syntax in Section 3.4 of RFC 5234 >> > > I've updated to try to fix this, but your review on the PR would be > appreciated. > > The correct form is (I didn't check if you usxe correct hex values): > > base64url = (%x40-5A) / (%x61-7A) / (%x30-39) / "-" / "_" > > (I.e., don't include "%x" after "-" and don't have spaces before or after > "-".) BTW, you can use "BAP"on tools.ietf.org to verify ABNF. > Done. > > >> Please add normative references for Retry-After and Link header fields. >> > > These already have normative references at their first appearance: > > https://tools.ietf.org/html/draft-ietf-acme-acme-14#section-6.5 > > Do you think those references are incorrect? > > > I was reading out of order, so this is fine. But a new nit: "header" --> > "header field". ("Header" is a collection of all HTTP header fields present > in a request or response). > Did a scan through, and I think I hit all of these. LMK if you see others. > > >> In 7.1.2: >> >> contact (optional, array of string): An array of URLs that the >> >> Which URI schemes are allowed (or at least expected) here? >> > > Basically, servers must support "mailto", and may support others; they can > specify their requirements in an error message. > > You don't mention "mailto:" till later and you don't even mention "tel:". > I appreciate that you don't want to have an exhaustive list here, but I > think you should still provide a bit more guidance. > Added a forward pointer to the guidance below. If you have other things you'd like to recommend, please send text. > > In 8.3: >> >> The server SHOULD follow redirects when dereferencing the URL. >> >> Why only a SHOULD? >> > > Some server operators wanted to have the option to require that the > validation work on the first request. > > > I think SHOULD basically makes redirects non interoperable. I think a bit > more text explaining why SHOULD or change this to MUST. Also, if there are > some security issues related to redirects, adding a pointer here would be > good. > Fair point. I've changed to MUST for now; let's see if anyone objects on the mailing list. >
- [Acme] Alexey Melnikov's No Objection on draft-ie… Alexey Melnikov
- Re: [Acme] Alexey Melnikov's No Objection on draf… Richard Barnes
- Re: [Acme] Alexey Melnikov's No Objection on draf… Alexey Melnikov
- Re: [Acme] Alexey Melnikov's No Objection on draf… Daniel McCarney
- Re: [Acme] Alexey Melnikov's No Objection on draf… Richard Barnes
- Re: [Acme] Alexey Melnikov's No Objection on draf… Salz, Rich
- Re: [Acme] Alexey Melnikov's No Objection on draf… Richard Barnes
- Re: [Acme] Alexey Melnikov's No Objection on draf… Benjamin Kaduk
- Re: [Acme] Alexey Melnikov's No Objection on draf… Alan Doherty
- Re: [Acme] Alexey Melnikov's No Objection on draf… Manger, James
- Re: [Acme] Alexey Melnikov's No Objection on draf… Tim Hollebeek
- [Acme] FW: Alexey Melnikov's No Objection on draf… Tim Hollebeek
- Re: [Acme] Alexey Melnikov's No Objection on draf… Richard Barnes
- Re: [Acme] Alexey Melnikov's No Objection on draf… Corey Bonnell
- Re: [Acme] Alexey Melnikov's No Objection on draf… Richard Barnes
- [Acme] HTTP redirects in validation [Was: Re: FW:… Ilari Liusvaara
- Re: [Acme] HTTP redirects in validation [Was: Re:… Ryan Sleevi