Re: [Acme] Alexey Melnikov's No Objection on draft-ietf-acme-acme-14: (with COMMENT)
Alexey Melnikov <alexey.melnikov@isode.com> Wed, 29 August 2018 15:26 UTC
Return-Path: <alexey.melnikov@isode.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0AE6C127148; Wed, 29 Aug 2018 08:26:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isode.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Fd3WEQzgoBm4; Wed, 29 Aug 2018 08:26:29 -0700 (PDT)
Received: from statler.isode.com (Statler.isode.com [62.232.206.189]) by ietfa.amsl.com (Postfix) with ESMTP id 2BA9D130DD0; Wed, 29 Aug 2018 08:26:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1535556387; d=isode.com; s=june2016; i=@isode.com; bh=Jn3WBuo6Bg2ilo7gD27C7spQoMUjZ2/gL7LUaL9HGaM=; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version: In-Reply-To:References:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description; b=kpvBUqYFR9OUiwLO8TI/nAuaMt6zlGUBv3qk/Sc0llHSjtKeNtCeMZWa6Yp2ajvHQVZMBN NOXb1HKKUSkukpcFNMy/Fn0bG/zS++QU7Qddbi0GSbDmkjCquN+Xv/HVLl2kepIz5e9k8g 9zzonMdd7JK5uQWiLTuOvJAa8g7ByHk=;
Received: from [172.20.1.215] (dhcp-215.isode.net [172.20.1.215]) by statler.isode.com (submission channel) via TCP with ESMTPSA id <W4a7IgAMFsVG@statler.isode.com>; Wed, 29 Aug 2018 16:26:27 +0100
To: Richard Barnes <rlb@ipv.sx>, Alexey Melnikov <aamelnikov@fastmail.fm>
Cc: draft-ietf-acme-acme@ietf.org, IETF ACME <acme@ietf.org>, The IESG <iesg@ietf.org>, Yoav Nir <ynir.ietf@gmail.com>, "<acme-chairs@ietf.org>" <acme-chairs@ietf.org>
References: <153554127552.14913.5752261334380280625.idtracker@ietfa.amsl.com> <CAL02cgRZsexAbNhwb08ROxTSYLqpJEJv2D9-s-sdkZx6SumPOg@mail.gmail.com>
From: Alexey Melnikov <alexey.melnikov@isode.com>
Message-ID: <bcff02b8-7dc9-9606-1e73-2b1ba3bb76e1@isode.com>
Date: Wed, 29 Aug 2018 16:26:26 +0100
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.0
In-Reply-To: <CAL02cgRZsexAbNhwb08ROxTSYLqpJEJv2D9-s-sdkZx6SumPOg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="------------3AC4EB2591BEC2835F36446B"
Content-Language: en-GB
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/v49-ugs0dzhfhAyvZVLEcnlXamA>
Subject: Re: [Acme] Alexey Melnikov's No Objection on draft-ietf-acme-acme-14: (with COMMENT)
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Aug 2018 15:26:32 -0000
Hi Richard, On 29/08/2018 16:03, Richard Barnes wrote: > Hi Alexey, > > Thanks for the comments. A couple of replies are below; resulting > edits are in this PR: > > https://github.com/ietf-wg-acme/acme/pull/442 I deleted comments where we are in agreement. More comments below: > > --Richard > > > On Wed, Aug 29, 2018 at 7:14 AM Alexey Melnikov > <aamelnikov@fastmail.fm <mailto:aamelnikov@fastmail.fm>> wrote: > > Alexey Melnikov has entered the following ballot position for > draft-ietf-acme-acme-14: No Objection > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut > this > introductory paragraph, however.) > > > Please refer to > https://www.ietf.org/iesg/statement/discuss-criteria.html > for more information about IESG DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-acme-acme/ > > > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > Thank you for this very important document. I would like to switch > to "Yes", > but please first review and respond to my comments: > > First mentions of JSON and HTTPS need references. > > 6.4.1. Replay-Nonce > > The "Replay-Nonce" header field includes a server-generated value > that the server can use to detect unauthorized replay in future > client requests. The server MUST generate the value provided in > Replay-Nonce in such a way that they are unique to each > message, with > high probability. For instance, it is acceptable to generate > Replay- > Nonces randomly. > > The value of the Replay-Nonce field MUST be an octet string encoded > according to the base64url encoding described in Section 2 of > [RFC7515]. Clients MUST ignore invalid Replay-Nonce values. The > ABNF [RFC5234] for the Replay-Nonce header field follows: > > base64url = [A-Z] / [a-z] / [0-9] / "-" / "_" > > This is not correct ABNF. Change range syntax in Section 3.4 of > RFC 5234 > > > I've updated to try to fix this, but your review on the PR would be > appreciated. The correct form is (I didn't check if you usxe correct hex values): base64url = (%x40-5A) / (%x61-7A) / (%x30-39) / "-" / "_" (I.e., don't include "%x" after "-" and don't have spaces before or after "-".) BTW, you can use "BAP"on tools.ietf.org to verify ABNF. > > Please add normative references for Retry-After and Link header > fields. > > > These already have normative references at their first appearance: > > https://tools.ietf.org/html/draft-ietf-acme-acme-14#section-6.5 > > Do you think those references are incorrect? I was reading out of order, so this is fine. But a new nit: "header" --> "header field". ("Header" is a collection of all HTTP header fields present in a request or response). > In 7.1.2: > > contact (optional, array of string): An array of URLs that the > > Which URI schemes are allowed (or at least expected) here? > > > Basically, servers must support "mailto", and may support others; they > can specify their requirements in an error message. You don't mention "mailto:" till later and you don't even mention "tel:". I appreciate that you don't want to have an exhaustive list here, but I think you should still provide a bit more guidance. > https://tools.ietf.org/html/draft-ietf-acme-acme-14#section-7.3 > > The WG discussed this and decided not to have more negotiation here. > See, e.g.: > > https://mailarchive.ietf.org/arch/msg/acme/TW8sbspUIGDGbIldaqWW0k9jKYo That is fine. > > (Similar text in other sections!) > > > I don't see "sort order" anywhere else, or other relevant usage of > "order". Do you have other places in mind? This might have existed in earlier versions. I will double check. > > In 8.3: > > The server SHOULD follow redirects when dereferencing the URL. > > Why only a SHOULD? > > > Some server operators wanted to have the option to require that the > validation work on the first request. I think SHOULD basically makes redirects non interoperable. I think a bit more text explaining why SHOULD or change this to MUST. Also, if there are some security issues related to redirects, adding a pointer here would be good. > 9.6. URN Sub-namespace for ACME (urn:ietf:params:acme) > > Repository: URL-TBD > > Who needs to fix this value? > > > There's a request to the RFC editor below. Ok. > 9.7.1. Fields in Account Objects > > o Field type: The type of value to be provided, e.g., string, > boolean, array of string > > Here and in all similar registries: I think you should insert > "JSON" before > "type" to make it clear that types are only restricted to JSON > type choices. > > > It's a JSON object. If you define a non-JSON type, you're gonna have > a bad time. Maybe I am dealing with too much CBOR/CDDL recently, which allows for more types.
- [Acme] Alexey Melnikov's No Objection on draft-ie… Alexey Melnikov
- Re: [Acme] Alexey Melnikov's No Objection on draf… Richard Barnes
- Re: [Acme] Alexey Melnikov's No Objection on draf… Alexey Melnikov
- Re: [Acme] Alexey Melnikov's No Objection on draf… Daniel McCarney
- Re: [Acme] Alexey Melnikov's No Objection on draf… Richard Barnes
- Re: [Acme] Alexey Melnikov's No Objection on draf… Salz, Rich
- Re: [Acme] Alexey Melnikov's No Objection on draf… Richard Barnes
- Re: [Acme] Alexey Melnikov's No Objection on draf… Benjamin Kaduk
- Re: [Acme] Alexey Melnikov's No Objection on draf… Alan Doherty
- Re: [Acme] Alexey Melnikov's No Objection on draf… Manger, James
- Re: [Acme] Alexey Melnikov's No Objection on draf… Tim Hollebeek
- [Acme] FW: Alexey Melnikov's No Objection on draf… Tim Hollebeek
- Re: [Acme] Alexey Melnikov's No Objection on draf… Richard Barnes
- Re: [Acme] Alexey Melnikov's No Objection on draf… Corey Bonnell
- Re: [Acme] Alexey Melnikov's No Objection on draf… Richard Barnes
- [Acme] HTTP redirects in validation [Was: Re: FW:… Ilari Liusvaara
- Re: [Acme] HTTP redirects in validation [Was: Re:… Ryan Sleevi