Re: [Acme] WGLC for ACME DTN Node ID
Brian Sipos <BSipos@rkf-eng.com> Fri, 09 April 2021 21:40 UTC
Return-Path: <BSipos@rkf-eng.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 376173A1285 for <acme@ietfa.amsl.com>; Fri, 9 Apr 2021 14:40:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.101
X-Spam-Level:
X-Spam-Status: No, score=-2.101 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=rkf-eng.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qKi06u_sB6Rp for <acme@ietfa.amsl.com>; Fri, 9 Apr 2021 14:40:45 -0700 (PDT)
Received: from NAM12-DM6-obe.outbound.protection.outlook.com (mail-dm6nam12on2050.outbound.protection.outlook.com [40.107.243.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 63A103A1284 for <acme@ietf.org>; Fri, 9 Apr 2021 14:40:28 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=XKisn85kwPCpWmg9cWyhIq7jcXQIipiZYbGLvs5lUjRcT9pgfbta8xmXXD55+TgUdiykDwLy0LDhtVEkCRewoagsm1DRRX4W5oO/P5G68c7cD3ukO+TQevquWRC2wAbjpBtA15up0xHu8ioYPdgJXWf/Jjtmv9SGMsj6UtkmF6OzA+zRZnwyY53rLVyA7lclvkOfwzzON5popMWkvlB7r3BYlpp27OC11k5HzE5yUrLdSbZ+a8abm4rNgs2KE8kwsJTLvAVWRxD8ZoTASkZPXGYMMLxA67+6IJ+cGKag4mbS0OqklBDTbITBDwpBwlw8ILD3ucL3MG4EBg3mFiAdNA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=oXe3ml0QQy0OUu/GXJXQ2w0ek1nrjkJ0CyUHbBLyccc=; b=gzNvw2WVy2Q7w5yAkZxCcIkdDAiODl+KIG4tTD6Rk5isti6g/pnfjWpaKduNnQWUlIVnS3ANexlZRF6WyvhQxcPCFZmMBvNrbMOMC55Scr9/hoMc6g0E3GN3HVMco6SMThreQSQumcZVGInyWeSdy5sdvDr50zhIJTVYJYuoIavHfInkEnq40+EM2+ti2n11OsnlYV9bmp5wFVUP8A+XYdfx/+CE5waR3XbremBkdZudGK7sYz0FOQjWPluR8fF7ADXZ+HP717T6Y6GpLr4nOmIFLOPfjkXHhFV2lbBtH1IaJzB8oAsTQc90PQTPrnwY8fgrgoicowGCU+vrLdocVA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=rkf-eng.com; dmarc=pass action=none header.from=rkf-eng.com; dkim=pass header.d=rkf-eng.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rkf-eng.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=oXe3ml0QQy0OUu/GXJXQ2w0ek1nrjkJ0CyUHbBLyccc=; b=HI+5EsShMOHVAJZkKrTWJdowRW1hIExgMeHnfYv0vquQHmGTaXFLsTYvrCKPSQRMM5z2Rkn4Vmk1Q0+VrJnl4fHyar0DfafIPpn60lZ5dNjmDYlMOAW0RjSLhLt/gI+HYnJlXDA3/Dr+7QiEPksKEaFWhfIapesvsWELXnoJyI8=
Received: from MN2PR13MB3567.namprd13.prod.outlook.com (2603:10b6:208:168::10) by MN2PR13MB4509.namprd13.prod.outlook.com (2603:10b6:208:1be::28) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4020.8; Fri, 9 Apr 2021 21:40:23 +0000
Received: from MN2PR13MB3567.namprd13.prod.outlook.com ([fe80::5db2:2ebc:2020:496f]) by MN2PR13MB3567.namprd13.prod.outlook.com ([fe80::5db2:2ebc:2020:496f%5]) with mapi id 15.20.4020.021; Fri, 9 Apr 2021 21:40:23 +0000
From: Brian Sipos <BSipos@rkf-eng.com>
To: "acme@ietf.org" <acme@ietf.org>
CC: "housley@vigilsec.com" <housley@vigilsec.com>
Thread-Topic: [Acme] WGLC for ACME DTN Node ID
Thread-Index: AQHXLYjxfSNCozHHr0WDM1PTxsWmzw==
Date: Fri, 09 Apr 2021 21:40:22 +0000
Message-ID: <5a65599ca9a588e8fa79647364372c52b34b6316.camel@rkf-eng.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Evolution 3.40.0 (3.40.0-1.module_f34+11756+2e59385f)
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=rkf-eng.com;
x-originating-ip: [96.241.16.84]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: d984aac3-3466-4459-42ef-08d8fba0148a
x-ms-traffictypediagnostic: MN2PR13MB4509:
x-microsoft-antispam-prvs: <MN2PR13MB45095C5E2249FC66CA96F6439F739@MN2PR13MB4509.namprd13.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:6790;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: ZmbTLyQ8pcluTdGMyNrEpdurhgxKFmf7VUpUhLusoyb7IFFFP6pym+KmqVrGHChhVAb3LleZdXwbq6vcuUBvfIIJkhio2Spsq0KQwtt9wCr8ip4KLWIWH37mUvjb9WVgvotRxSpjvx4qw3g8hsiqLZ49HwDTQl9D6C8MeFffuLikrJW929vTB0M3diRkRxIrXuwgbWz9ZyhrvNJ8imvH9ZFUbcTVKn6HqybzQ8iJ0QoL+F+gZ1hnxVzR2JLyDU4pL9fXAxNLaSHO9GFRpTwhBCEUxNC5UpmP7nWBSU0rquo/0y+VJmlnRH4SoTjxyeRHMPRpVSHUwaRPPAGSvtAe1/qmSCtgmYJYfFCu0eA13UuXWk8U/7OPlLfPJn1TfVhIX/N5ZwxhO2ZDnWrmHjHwxBaQfmcxV7CN0x6JaCW3NgCspbRjyBYM3I8p1lkTfmKCg66tCMXwwQpFKPoEBSne/eLfMC3zIjtgW31arDot4JqgXYYgcAwBDEMWDiIiQffSNJFMsXdh0i4UJP2jGpDbqksQlvLlWYP5TfDTZjLlQGXvGvNfRZFE5XJbMzzRdslCQx8GDCtAgWWOAhRr7cczsxGXcmcTrmJpWViqOZ1qedKXy0KH5PPFVOkQ1LftWjEAfrxXwMZRTToT/6KfuikKijq1rMq72xcOwHqQDOGJDsu9TkYL+RwM8PRkK6LRzBHuXWoMSr2zBth2kWuFZu+naWI3MA6eU4rxF8EJ2aX00+c=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MN2PR13MB3567.namprd13.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(396003)(136003)(366004)(376002)(346002)(39830400003)(4326008)(8676002)(26005)(966005)(38100700001)(6512007)(36756003)(76116006)(64756008)(83380400001)(66616009)(99936003)(5660300002)(6916009)(66556008)(66446008)(8936002)(186003)(66476007)(66946007)(2616005)(316002)(478600001)(2906002)(86362001)(6486002)(6506007)(71200400001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: /GxOFkDM0UR+dSeoJ+/GzkfnJaf8psfSh+1JpD5TXgauayQ/t5EW6NXXrs3cnbvYEr+B940dfEvwdoSIEQ1D1HY8xYs0+JlF1aiVxPP3C3l4V4MamoVOM5WGnXX4cRgHRYvlcZ6zWnP1lC/3kI2p/aHcPE9w37JvfCtXgNdSB5biO2hbQkgGuX6JVtAeAGPiVs5xcnSibY3WA09sdimzUbpzI63qSp4GS+MmL2dcWxzIMBf483xuaAok6QHHwboK4hLh1Isp5TgL4SJKt2JaDTbjcYp3p6ggKdTywu+rQvAltyPBzwZG2pTb5YmY8lX9WOOloBXVn1Tn/zbINtMaEvTJD8fGj1MRSOmDyWg4yHMlrsZO8yZon015AMmL1QYvgJJzhYIblCDc0RTl1VG5i1eUJRNENEUA9w4aPqoQTDA4qyRgQ1kdBzYrFJd/PkEQQPYse32qImvEJtizaavctrA+Uwvsl/pscJ3fFFtACm9iStqY4LFtalWSwAlsVRt4V/hqBuODhnPhjqQdi/oFu/D+/aUXQ7lZW0wQOK0xNI/f2p46+VMtWZB0AEjmdnsPdEbD+TkljYx7J96lajiEeyNxRRjrg/M0RDYoZc/860eHOQYwCli3Mj5MpI/xEcypagLwfa6y5CypVlJcbdZ3Xvllt7Oo9LQwyFqH+xFVeQ/Yhxep5Dq0xYfo2EqdSRzFUL8wcwow3i2xjb9le6flnbIiCs1/mWG4FcQ6BLx1rMT9LaMctfi/dMjDT83OjHktISMv6KAhtOsOoKC1MZ31ZSG/PlnvUstZWy/SJCoDMa4oybzFFLXl6JkNtD3JByTtzWY+1iwSIb2n72GS4pit5Oswd8yrwxmew9XD1auj8s5XmD/NXQWvs7n9HZPZx/OrRdCcZR9cyHoea/IqKHjP22bSgVj4VGVf+NIuhWtPTg+4GI9hsYn7IavZLetn/8JvUK4xLIZiwIuflc8WkMmyXlsm36vZQ2FL8UrsgzquNYQUhcQc0C0nHEwecjCEm22uMdtB09EOz+28jGKQ363TXULtosopPDRIuH6g9Cp9Gudjwz0F29HPTPo0z8/iTVFaUvoHXjNnIKTLB3XwV5GCz57Ij6jZSklmKkV449y1mfbaKP1F1VeoDiVCy2qHLpoq7LgJyfvui3LVrtkODrkofodgBFOxabftBd9cTMThr8lukrrnPUU1IX2DBpPSRBzCqGZW2woZLytRKqARH7yAvbZVVdOkez4t918WN7kazijt1JWYL4OXVJRkE2ciwn3rVj4hezptQ+nzEBRKBBuniG99epB3oThxSEjbbIgyL3yFGCNd/nFSlzawrB09faJj
x-ms-exchange-transport-forked: True
Content-Type: multipart/signed; micalg="sha-256"; protocol="application/pkcs7-signature"; boundary="=-N9BMIzSBqR/vUv9M1rWR"
MIME-Version: 1.0
X-OriginatorOrg: rkf-eng.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: MN2PR13MB3567.namprd13.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: d984aac3-3466-4459-42ef-08d8fba0148a
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Apr 2021 21:40:22.9340 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 4ed8b15b-911f-42bc-8524-d89148858535
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: kwDEihhAJwH2uMcHZBUzvXr2Fh5qRPRQDKVwbtZh1ysLE8bReaIfCKDQbkTZBb00hmwYXp7t4HG06X2MwmCTNw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR13MB4509
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/p_-KILy6fEULvtIoGjQxkSIvAIc>
Subject: Re: [Acme] WGLC for ACME DTN Node ID
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Apr 2021 21:40:51 -0000
Russ,
Thank you for the review comments. My responses are inline with prefix "[BS1]".
> I think that this document is almost ready. I have a few comments.
> MAJOR:
> Section 4 points to Section 4.4.2 of [I-D.ietf-dtn-tcpclv4]; but that profile does not require the certificate to
include an EKU of id-kp-bundleSecurity. When this document is used to verify control over the DTN Node ID, I think the
issued certificate MUST include an EKU of id-kp-bundleSecurity. If other means are used to validate other identities,
then other EKU values might be included as well.
[BS1] This seems reasonable to require. I suppose the "email-reply-00" document [1] just leaves out any discussion of
EKU because the preexisting S/MIME documents define a more concrete certificate profile and there is a lot of momentum
behind S/MIME implementation. I'm going to add statements about the EKU in the CSR and the issued certificate.
> Section 4.2 is talking about S/MIME certificates. I think there is a cut-and-paste error here.
[BS1] Yes, these statements should replace "S/MIME" with "bundle security".
> MINOR:
> Section 3.1 says: "The only over-the-wire data required by ACME for a Challenge Bundle is a nonce token ...". This
is the first time that "nonce" appears in the document. Please reword.
[BS1] I removed this statement and replaced it with a statement about the token-part2 scope:
The <token-part2> value included in this object is fixed for the entire challenge, and may correspond with multiple
separate <token-part1> values when multiple Challenge Bundles are sent for a single validation.
> Section 3.3 and 3.4: in the beginning of the section, please add a pointer to the document that defines these
parameters. I think it is draft-ietf-dtn-bpbis.
[BS1] That is the correct reference. I am adding a statement at the top of each section.
> Section 6.1: please provide a reference for "BPSEC key material", and please spell out "BCB".
[BS1] I removed this speculative text and replaced it with:
It is possible for intermediate BP nodes to encapsulate-and-encrypt Challenge and/or Response Bundles while they
traverse untrusted networks, but that is a DTN configuration matter outside of the scope of this document.
> NITS:
> Section 1: please spell out BP on first use.
> Section 2: s/wildcard ("*") character/wildcard character ("*")/
> Section 6.2: please spell out "BIB".
[BS1] I am correcting all of these typos.
[1] https://tools.ietf.org/html/draft-ietf-acme-email-smime-14
- [Acme] WGLC for ACME DTN Node ID Yoav Nir
- Re: [Acme] WGLC for ACME DTN Node ID Russ Housley
- Re: [Acme] WGLC for ACME DTN Node ID Ryan Sleevi
- Re: [Acme] WGLC for ACME DTN Node ID Brian Sipos
- Re: [Acme] WGLC for ACME DTN Node ID Russ Housley
- Re: [Acme] WGLC for ACME DTN Node ID Brian Sipos
- Re: [Acme] WGLC for ACME DTN Node ID Benjamin Kaduk
- Re: [Acme] WGLC for ACME DTN Node ID Brian Sipos
- Re: [Acme] WGLC for ACME DTN Node ID Yoav Nir
- Re: [Acme] WGLC for ACME DTN Node ID Brian Sipos