IETF Logo Mail Archive

Re: [Acme] Alexey Melnikov's No Objection on draft-ietf-acme-acme-14: (with COMMENT)

Richard Barnes <rlb@ipv.sx> Wed, 29 August 2018 16:31 UTC

Return-Path: <rlb@ipv.sx>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B298A130DF0 for <acme@ietfa.amsl.com>; Wed, 29 Aug 2018 09:31:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, T_DKIMWL_WL_MED=-0.01] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TLgw6felS7mt for <acme@ietfa.amsl.com>; Wed, 29 Aug 2018 09:31:56 -0700 (PDT)
Received: from mail-oi0-x22c.google.com (mail-oi0-x22c.google.com [IPv6:2607:f8b0:4003:c06::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2C243130DDE for <acme@ietf.org>; Wed, 29 Aug 2018 09:31:55 -0700 (PDT)
Received: by mail-oi0-x22c.google.com with SMTP id 8-v6so10273660oip.0 for <acme@ietf.org>; Wed, 29 Aug 2018 09:31:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=GWCmugMr7Ihi9m4raB61i6rZavCzc6XIrc0hqd68Ids=; b=dqho3SopSVIytBn7aOwcYExOOjhA77EXBS2+lQBxV1eu419kus0HPfONjffsdcTnC7 vnrOVjUBGzgTaFK7ejUnG71t+scekyqslYEAbBNI4nJW+EIaIZ92Rq0WD/+zD/gkJ/Oy im3DUtTlKTvXXCH1CWXG0Qs+TXCtV1szZU76EG4OscqyLj/ndeAWLfNhsZqwAFaJlrEL srhSAyfDhrzgoQCZgyoEUeMwTGIfIVwIBryH3EYecRx1g4G8z+ihkQavcqFv4byC3y1F iXmbIr/32DyijhyXinbGXamf5c9XjXtfxwx47gOzwSEYAKkIRcCYQIup9ZupbsXI3fXA AWdw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=GWCmugMr7Ihi9m4raB61i6rZavCzc6XIrc0hqd68Ids=; b=HqGDu/OHOoF2CkfsjJgsi6ydLvmq2chwKJ6GDfuVsG1gMz9IGaajGN/4o9uR2Ge4fW cBG65jjsw5m9WLtfvhJEqO2tatY144r9D8bHczL/Jdr3IiJKI3HHIbp0wNGPU3+Jr8vG OsMLjCJnpjZAJm4uIzm0Qt+Gi8XTzmLumZd7rD+nVxDbpsUw2kiOSbk86Aa0xGIzlSB+ Ad7Ne3ePT4nIewdb4dmmw0Jrz6AXhzHUrfFHhUukqzVEsqflyDgS41jRlI4AsB9tg/1e 6imSDLDgoapM3K8dtfmfFlXUfxCKuhPXSIcatnDUYymdWn3HOK7znggG5zK6GBmqX/Bw 9YtA==
X-Gm-Message-State: APzg51B2ElVisGkc7HzpgsO2AvlCsRYTofeknDwYyLETS1ChX4GjIBWj gD/2UiLXR9Gjz8zjoGiSxJlCJdudKm7Lp8jiLBdLpQ==
X-Google-Smtp-Source: ANB0VdZV4g2EoZJgpFuKzks4PxVRoBz5g9X83ieC6lSjyuf/NFcjL6d1xhNWzlZyHOEj7P+83b95Gxto8R1Xr1OFz0c=
X-Received: by 2002:aca:f189:: with SMTP id p131-v6mr3601495oih.14.1535560314376; Wed, 29 Aug 2018 09:31:54 -0700 (PDT)
MIME-Version: 1.0
References: <153554127552.14913.5752261334380280625.idtracker@ietfa.amsl.com> <CAL02cgRZsexAbNhwb08ROxTSYLqpJEJv2D9-s-sdkZx6SumPOg@mail.gmail.com> <bcff02b8-7dc9-9606-1e73-2b1ba3bb76e1@isode.com>
In-Reply-To: <bcff02b8-7dc9-9606-1e73-2b1ba3bb76e1@isode.com>
From: Richard Barnes <rlb@ipv.sx>
Date: Wed, 29 Aug 2018 12:31:42 -0400
Message-ID: <CAL02cgSCOnp4a_NnxzV+oufhooB1=QC6X5WSX=+_BpX0te0CGQ@mail.gmail.com>
To: Alexey Melnikov <alexey.melnikov@isode.com>
Cc: Alexey Melnikov <aamelnikov@fastmail.fm>, draft-ietf-acme-acme@ietf.org, IETF ACME <acme@ietf.org>, The IESG <iesg@ietf.org>, Yoav Nir <ynir.ietf@gmail.com>, "<acme-chairs@ietf.org>" <acme-chairs@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000011f0bd0574957fc7"
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/p9eETfz26LEUN-5bKQwBSewpRls>
Subject: Re: [Acme] Alexey Melnikov's No Objection on draft-ietf-acme-acme-14: (with COMMENT)
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Aug 2018 16:31:58 -0000

Updated the PR.  Trimmed below.

On Wed, Aug 29, 2018 at 11:26 AM Alexey Melnikov <alexey.melnikov@isode.com>
wrote:

>
>> 6.4.1.  Replay-Nonce
>>
>>    The "Replay-Nonce" header field includes a server-generated value
>>    that the server can use to detect unauthorized replay in future
>>    client requests.  The server MUST generate the value provided in
>>    Replay-Nonce in such a way that they are unique to each message, with
>>    high probability.  For instance, it is acceptable to generate Replay-
>>    Nonces randomly.
>>
>>    The value of the Replay-Nonce field MUST be an octet string encoded
>>    according to the base64url encoding described in Section 2 of
>>    [RFC7515].  Clients MUST ignore invalid Replay-Nonce values.  The
>>    ABNF [RFC5234] for the Replay-Nonce header field follows:
>>
>>      base64url = [A-Z] / [a-z] / [0-9] / "-" / "_"
>>
>> This is not correct ABNF. Change range syntax in Section 3.4 of RFC 5234
>>
>
> I've updated to try to fix this, but your review on the PR would be
> appreciated.
>
> The correct form is (I didn't check if you usxe correct hex values):
>
> base64url = (%x40-5A) / (%x61-7A) / (%x30-39) / "-" / "_"
>
> (I.e., don't include "%x" after "-" and don't have spaces before or after
> "-".) BTW, you can use "BAP"on tools.ietf.org to verify ABNF.
>
Done.



>
>
>> Please add normative references for Retry-After and Link header fields.
>>
>
> These already have normative references at their first appearance:
>
> https://tools.ietf.org/html/draft-ietf-acme-acme-14#section-6.5
>
> Do you think those references are incorrect?
>
>
> I was reading out of order, so this is fine. But a new nit: "header" -->
> "header field". ("Header" is a collection of all HTTP header fields present
> in a request or response).
>
Did a scan through, and I think I hit all of these.  LMK if you see others.


>
>
>> In 7.1.2:
>>
>>    contact (optional, array of string):  An array of URLs that the
>>
>> Which URI schemes are allowed (or at least expected) here?
>>
>
> Basically, servers must support "mailto", and may support others; they can
> specify their requirements in an error message.
>
> You don't mention "mailto:" till later and you don't even mention "tel:".
> I appreciate that you don't want to have an exhaustive list here, but I
> think you should still provide a bit more guidance.
>
Added a forward pointer to the guidance below.  If you have other things
you'd like to recommend, please send text.


>
> In 8.3:
>>
>>    The server SHOULD follow redirects when dereferencing the URL.
>>
>> Why only a SHOULD?
>>
>
> Some server operators wanted to have the option to require that the
> validation work on the first request.
>
>
> I think SHOULD basically makes redirects non interoperable. I think a bit
> more text explaining why SHOULD or change this to MUST. Also, if there are
> some security issues related to redirects, adding a pointer here would be
> good.
>
Fair point.  I've changed to MUST for now; let's see if anyone objects on
the mailing list.



>

v2.23.0 | Report a Bug | By Email