Re: [Acme] AD Review of draft-ietf-acme-dtnnodeid-04
Brian Sipos <BSipos@rkf-eng.com> Tue, 27 July 2021 21:12 UTC
Return-Path: <BSipos@rkf-eng.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D4C983A0784 for <acme@ietfa.amsl.com>; Tue, 27 Jul 2021 14:12:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.101
X-Spam-Level:
X-Spam-Status: No, score=-2.101 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=rkf-eng.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WOioRp0LAJvo for <acme@ietfa.amsl.com>; Tue, 27 Jul 2021 14:12:45 -0700 (PDT)
Received: from NAM12-DM6-obe.outbound.protection.outlook.com (mail-dm6nam12on2041.outbound.protection.outlook.com [40.107.243.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F198C3A077E for <acme@ietf.org>; Tue, 27 Jul 2021 14:12:44 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ZDDbF1JIUr/Qo/kGmneA/b/PBqTEbW5z2YC275ohR7/5GsGZwRUCUBQeraFk1yeYiY2x0JKTSqDKnVbyX8c3Jig7GIiVtG7GBhvHKJwj6vzTFCV+s7cMkkjdKuMITi96+6BJiNKBsqPoj8G1Nf7nr2iDFZa2g17DMBSGFMICJOYthe+HldrBn/G5qjzP9NgX1j8LQPBcqRhb7pBeKs8f/cWiyiKbMJsBfAWZqr9QxwF4K3OXtnUQmAn/RL4igu8Eg8FSyHMs5a3dstkdmCUEhR5+D1QDGK3t4q6v0ndae8uxE+ulcXSSUo18cElAuKXgDwavLHOgdFbdUHXYKrNYCQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=t0Mr8VSmaFMuoLiTAueFuAieuqEVd9XpsYjjYhUK3tQ=; b=FsUllopo0MhV7PFYwdo1SZ6T0/s8wkbY3mcFKM3KgQRv6xx6R/fiqe/jxk58BnJtJ8jjG3xaxKYkDX0+FVF9ZFv/PvTiFCr2n4LTYZJbqvZyrOr1bWw4SKAvcNIoWDPMcZNRg98GFLUdzAOE29/fGkSDnhtaJzjrlfGF1EWgXEUWrVTH6u7T+CW7MpugfAJWMqDkvSaWdl15uXciqkmCin1LpxfhOPOhnjG2KY9qxwLQvvrhNIOdsKDQAqKdi4/CJNaGBxIbThm1wKuh+GJ8gmuwuR/KdISNlqPGget9yhCA5RaKrm5eeoU5xC4jASefaZn75CZ6qmrwq2CHpuhsEQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=rkf-eng.com; dmarc=pass action=none header.from=rkf-eng.com; dkim=pass header.d=rkf-eng.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rkf-eng.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=t0Mr8VSmaFMuoLiTAueFuAieuqEVd9XpsYjjYhUK3tQ=; b=ccJrs1Els326AuOe0EStGtQAbzOATY7B3rX+O6gVIw+A4PmqtG5D/LJRRD2BoRnYZbUB75fppgvazQICH2BBWS+wKxlMbHA8Yc2l1r2cQFi71eUir2c9rO1wZ1ruSiD+nnQVt+h0/1RzJBL8ZTXpRYswkslDH7fkhcyHCJr5vlk=
Received: from MN2PR13MB3567.namprd13.prod.outlook.com (2603:10b6:208:168::10) by MN2PR13MB3776.namprd13.prod.outlook.com (2603:10b6:208:1e7::24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4373.7; Tue, 27 Jul 2021 21:12:41 +0000
Received: from MN2PR13MB3567.namprd13.prod.outlook.com ([fe80::f845:66e:abee:d10c]) by MN2PR13MB3567.namprd13.prod.outlook.com ([fe80::f845:66e:abee:d10c%6]) with mapi id 15.20.4373.018; Tue, 27 Jul 2021 21:12:41 +0000
From: Brian Sipos <BSipos@rkf-eng.com>
To: "rdd@cert.org" <rdd@cert.org>
CC: "acme@ietf.org" <acme@ietf.org>
Thread-Topic: [Acme] AD Review of draft-ietf-acme-dtnnodeid-04
Thread-Index: AQHXgywiHJXaHUJs5USqsUtyrE1MwQ==
Date: Tue, 27 Jul 2021 21:12:41 +0000
Message-ID: <4ddbcc0b9ba6e2942fd1d95c412e41e6988b8a59.camel@rkf-eng.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Evolution 3.40.1 (3.40.1-1.module_f34+11997+0ba8848e)
authentication-results: cert.org; dkim=none (message not signed) header.d=none;cert.org; dmarc=none action=none header.from=rkf-eng.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 770504eb-2d14-48f7-35a1-08d95143454f
x-ms-traffictypediagnostic: MN2PR13MB3776:
x-microsoft-antispam-prvs: <MN2PR13MB37760EE917343C926D9668509FE99@MN2PR13MB3776.namprd13.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: SWiHjN+7j0/RoBuo0+Wvjcb0+koFE7NIV4orLw/s43UQXAW725wrKqi3svIi0JpuV7WWk/tK/oNznDAMbnCajTdl2fWGlw1owZxQt2PZT4fl++2PoCS3oreNUxokwzGXPJMRBs9ytphVXzFrlaWLK3dnv/V44DhUhnw1hHxl9tDJfLIi5ANODBsog0twEI39c4I8OBtPGA9GasgeJUkNhcD5WQd5VJHbp3WQlFWzG1NXCfn2R+XbtuN6NyOFzgsfZ/VzwgAY5PoaltYHVvu+B+azJg7wwEQC9+a0sHX/yrrx2T3fNeL54l960/rYld2alm07pZ1/nK5Aeq6Ku2dTOHOgYDJ3K4rwd1ZELRNxouPsWHSbuH4rFYI5sUNW7VtXjpM+Kc9MC/Bl/6v/4+wPHlXGa2A7l+5dHw0rRa1zlBdQQzTNDk6QwSFWLh0zW9+ZogGKTd0GoMiIkfH6WAp1G9cvahhY2ZOoX1bO6xPYT8z5AWThy2YQFqkKS5pG47YJdU8bAlyN/8x3yjUnKmUtPjxljXSSllGRlwHzv9cnEi5zHl4EJU/bZw8mm1bM6PR5dRUStu6DZwA7U8y3GtIp0tQgGmBoFtE9SXNfmRVI+Jwxj+xKwAkpw0s92ai5sl1fnbPBx+GfUTrUXDxgtIiox7Qwd8AHk7eRV4PrjCWaBAn+6oSWoPVzrNpBrWiz0PjoOgSfVK4uxj8jEItr79Kqp57Tv5Ye5swSD/Q+tUYFl69CvrxEe7AHn+sfvFAk1/PC3flcM/kmc4IFy/HLhAJlbw==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MN2PR13MB3567.namprd13.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(376002)(346002)(396003)(366004)(136003)(39830400003)(83380400001)(8676002)(316002)(6916009)(5660300002)(6512007)(8936002)(122000001)(4326008)(99936003)(38100700002)(36756003)(6506007)(26005)(2906002)(186003)(478600001)(66556008)(66616009)(66946007)(66446008)(86362001)(71200400001)(66476007)(64756008)(2616005)(6486002)(76116006)(38070700005)(966005); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: hwHziD2Hc7gLpyf+Pi7xUmJLTwRacjCUQD6fvqIezpCuw8eTaF3hoZEK04aEwfWE+DPT0GD280EiLvn2vU2u0v8TYbsffs8SzI5HmTGW6CT8DH/FHa3zV1haYEX3tDifVa8kF07KLwnYALlJ/McnBaalEl7ZSZYGOTIIRqci0lT/vm92zwQK4h9CHKHzT7TpCRGnByq7I3XmZzBjjI0AkfjPP30cpJztI+fGv7GQc4pN11/fozQrzI1dvsWZeHgFaAouPk0tUlMyQkpn6/fJR/Ns6J0qAvXA/VikMDdMOwdb7pD27Z6qfVXboPiW3avGzwpq+hFcRYLFB7kmXMAI/O/skqUt+PmRobbWgyRnPsh3kHpu4yZpE8D1WGpdeuEcchQi2yNFxxXL5dOMEblqv7WfCBpsFXkyO0UBmR3ctgLWBOHkiCzjmCv59ipJO/3h4ivsyQALFRkg53M5a/ayM7rg/7+XJ1rd3tlu5r99sli2CBqBNYnZSpPKrS3q7liyefgVg7EmNKmc+0E31vOpozrVcrQzPOoUANTmacoCsR5+25PyFx0ILUjwkprxEpGuyGfUJFc9/P77OdjNv+KENpOyPNIBQjN7eqR3LZqYAl5p4vbKWuJ5p8JpZzr3cpK5z395GoLmKTAvVe8gchVOnccq0+uUg/JQZa3vX2f+4rAlEa7Cu9BcLR3mtiW17yjhfOUiRitz90btdKTR9i+ZTP6Vz2zU38cFvdKx/5MW0eOblUN1OjsOWNPtz1JbZaIDdv+bYGi9te+sVVcWOFScP4RStSZ0w620/5TqiFIgoKQHRv8VGCipN9+eOSdYVZE4yLjY4kg9e1jv/C4TMKK0mFmZ7MpWRmznqh1/KeGdcSVhw8A6nvufhaxmMy5Mf/IBDqaluzX90beFtalOMlGKLX3HJUL0Xgk+K7ujpnzeFYSVK3jlbJsHeFtEMLvEjtjaDoaxaLmwlYolvEA40i2GMMQjNxdJRm7E7jVdD/Gi1cXv8Yv8mb0fCOhrwAMP/cfocp61leyPGprQ5+FXJ7NV30zl0eVPOfCz0evwC9cum9n4vv7Jk0tTc2BR1AO+IPB6Au9TnYgs7unQDcB+lFfvFmizxWvjcpLJ4W7pwZKHVCoghxXsb785I7T5Pnk8zt2nT4abvZT15W022z8BAcSpaiwPox7MH527fKc7UfsYrD++MynMB/1v98uJrgud/j50tYyVC6n9Aw6FWu6ju0z7mNPiPlqi5bYwDtnVcavaLvhNQVsAj6xCodaw+8hR1Q6/E4v5xT74B+V0jdwa5xe+q5dWE95RqVMc4j3Pu1PBWcSTvKatpzo00jIXl1my4aPC
x-ms-exchange-transport-forked: True
Content-Type: multipart/signed; micalg="sha-256"; protocol="application/pkcs7-signature"; boundary="=-lKfFElS4Bklzr+dnRZDk"
MIME-Version: 1.0
X-OriginatorOrg: rkf-eng.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: MN2PR13MB3567.namprd13.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 770504eb-2d14-48f7-35a1-08d95143454f
X-MS-Exchange-CrossTenant-originalarrivaltime: 27 Jul 2021 21:12:41.5494 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 4ed8b15b-911f-42bc-8524-d89148858535
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: eU5yYaFrYodfWZFZWaA3/oNxtYiMjL2L+FBBxExykl4kch6enR6hKo/IP7AllSbvngERB1XXZzcJYLk6daoGtw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR13MB3776
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/sgWP_o3Yy9MNV_kIh8H1z-kG3nI>
Subject: Re: [Acme] AD Review of draft-ietf-acme-dtnnodeid-04
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Jul 2021 21:12:51 -0000
Roman, Thank you for this thorough review. I want to address the more procedural/structural points first; the ones which have implications outside of just this document. > On the process side, this arrangement is rather unusual. No quarrels with the substance of the update which will improve extensibility. However, this particular document has experimental status and the document being updated (draft-ietf-dtn-bpbis) is proposed standard (PS). Having a lower maturity document updating one of higher status is my concern -- "experiments fail". Was this issue considered? Discussed with the DTN WG? I'll note that draft-ietf- dtn-bpbis has not yet been published (although it is in the late state of the RFCEd queue). Could the changes just be added there directly? BS: I did bring this up in the DTN WG earlier and the BPbis authors were fine with the update itself, which didn't require BPbis document changes, but I understand the concern about the different document status levels. I have brought this new concern up in the DTN WG with options of either a late AUTH48 edit or a separate small Proposed Standard document from the DTN WG. The change really is not specific to this ACME document but related only to this being the first new administrative record type for BPv7. > **I need a little help on DTN addressing. The text notes that that the intent is to issue certificates with DTN Node IDs as a URI in subjectAltName. > ... > Given the constraint of (c) and the flexibility afforded with the definition of a node ID in (a)+(b), will DTN Node IDs always satisfy the requirement from (c) to be FQDN? Is language needed to ensure that (likely in a few places in the document)? BS: This is a good catch regarding conformance to RFC 5280, and unfortunately represents a subtle logical conflict with this and another document [1]. Although Section 4.2.1.6 of RFC 5280 states this requirement about the URI authority part it makes no other use of this authority restriction, and although RFC 6125 does define a URI-ID which has matching logic based on the authority part the certificate profile shared by DTN TCPCLv4 [1] and this document explictly avoid using URI-ID in favor of the matching logic defined in [1] for NODE-ID. So while a "dtn" scheme URI contains an authority part which I believe meets the intent of the RFC 5280 restriction (a unique and unambiguous name/address) it does not meet the letter-of-the-law in that document. The dtn scheme is already in use and has been for many years; although it resembles a URN in semantics it does use a URL syntax which may be more of an historical accident than a design decision (as the "ipn" scheme does not use the URL authority syntax). Do you think that explicitly calling this out in this document and in [1] are an acceptable way to avoid this logical issue? Meaning any CSR or certificate handler for DTN must be aware to ignore that specific RFC 5280 requriement. I think all of your other comments are sensible and I will respond to them separately. Thank you, Brian S. [1] https://datatracker.ietf.org/doc/html/draft-ietf-dtn-tcpclv4-26#section-4.4.2
- [Acme] AD Review of draft-ietf-acme-dtnnodeid-04 Roman Danyliw
- Re: [Acme] AD Review of draft-ietf-acme-dtnnodeid… Brian Sipos
- Re: [Acme] AD Review of draft-ietf-acme-dtnnodeid… Roman Danyliw
- Re: [Acme] AD Review of draft-ietf-acme-dtnnodeid… Ryan Sleevi
- Re: [Acme] AD Review of draft-ietf-acme-dtnnodeid… Roman Danyliw
- Re: [Acme] AD Review of draft-ietf-acme-dtnnodeid… Salz, Rich
- Re: [Acme] AD Review of draft-ietf-acme-dtnnodeid… Russ Housley
- Re: [Acme] AD Review of draft-ietf-acme-dtnnodeid… Brian Sipos
- Re: [Acme] AD Review of draft-ietf-acme-dtnnodeid… Ryan Sleevi
- Re: [Acme] AD Review of draft-ietf-acme-dtnnodeid… Salz, Rich
- Re: [Acme] AD Review of draft-ietf-acme-dtnnodeid… Brian Sipos
- Re: [Acme] AD Review of draft-ietf-acme-dtnnodeid… Roman Danyliw
- Re: [Acme] AD Review of draft-ietf-acme-dtnnodeid… Russ Housley
- Re: [Acme] AD Review of draft-ietf-acme-dtnnodeid… Brian Sipos
- Re: [Acme] AD Review of draft-ietf-acme-dtnnodeid… Roman Danyliw