[Acme] Adam Roach's Yes on draft-ietf-acme-ip-07: (with COMMENT)

Adam Roach via Datatracker <noreply@ietf.org> Tue, 01 October 2019 01:55 UTC

MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: Adam Roach via Datatracker <noreply@ietf.org>
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-acme-ip@ietf.org, Daniel McCarney <cpu@letsencrypt.org>, acme-chairs@ietf.org, cpu@letsencrypt.org, acme@ietf.org
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: Adam Roach <adam@nostrum.com>
Message-ID: <156989491099.24194.10550152014180349645.idtracker@ietfa.amsl.com>
Date: Mon, 30 Sep 2019 18:55:11 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/sC-PXYTWAQ7D0dgVVw3CUilyhGQ>
Subject: [Acme] Adam Roach's Yes on draft-ietf-acme-ip-07: (with COMMENT)

Adam Roach has entered the following ballot position for
draft-ietf-acme-ip-07: Yes

When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)


Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
for more information about IESG DISCUSS and COMMENT positions.


The document, along with other ballot positions, can be found here:
https://datatracker.ietf.org/doc/draft-ietf-acme-ip/



----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------


Thanks for the work you put into specifying this mechanism. The only
comments I have are editorial.

---------------------------------------------------------------------------

§1:

>  In order to allow validation of
>  IPv4 and IPv6 identifiers for inclusion in X.509 certificates this
>  document specifies how challenges defined in the original ACME
>  specification and the TLS-ALPN extension specification
>  [I-D.ietf-acme-tls-alpn] can be used to validate IP identifiers.`


Nit: "...certificates, this..."

---------------------------------------------------------------------------

§3:

>  If a ACME server wishes to
>  request proof that a user controls a IPv4 or IPv6 address it MUST
>  create an authorization with the identifier type "ip".

Nit: "...an ACME..."

Nit: "...address, it..."

---------------------------------------------------------------------------

§4:

>  To use IP identifiers with these
>  challenges their initial DNS resolution step MUST be skipped and the
>  IP address used for validation MUST be the value of the identifier.

Nit: "...challenges, their..."

Nit: "...skipped, and..."

---------------------------------------------------------------------------

§5:

>  For the "http-01" challenge the Host header MUST be set to the IP
>  address being used for validation per [RFC7230].

Nit: "...challenge, the..."

Nit: "...Host header field..."

---------------------------------------------------------------------------

§6:

>  For the "tls-alpn-01" challenge the subjectAltName extension in the
>  validation certificate MUST contain a single iPAddress that matches
>  the address being validated.

Nit: "...challenge, the subjectAltName..."

>  As [RFC6066] does not permit IP
>  addresses to be used in the SNI extension HostName field the server

Nit: "...HostName field, the server...."

>  For example if the
>  IP address being validated is 2001:db8::1 the SNI HostName field

Nit: "For example, if the..."

Nit: "...2001:db8::1, the SNI..."

---------------------------------------------------------------------------

§9.1:

>  For example if the CA believes an IP
>  identifier belongs to a ISP or cloud service provider with short
>  delegation periods they may wish to impose additional restrictions on
>  certificates requested for that identifier.

Nit: "For example, if the CA..."

Nit: "...delegation periods, they may..."

[Acme] Adam Roach's Yes on draft-ietf-acme-ip-07:… Adam Roach via Datatracker