Re: [Acme] WG Last Call for draft-ietf-acme-integrations-07

Carl Wallace <carl@redhoundsoftware.com> Fri, 27 May 2022 13:44 UTC

Return-Path: <carl@redhoundsoftware.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B1150C20D6A7 for <acme@ietfa.amsl.com>; Fri, 27 May 2022 06:44:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.097
X-Spam-Level:
X-Spam-Status: No, score=-7.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=redhoundsoftware.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IuQdWj6kQBiM for <acme@ietfa.amsl.com>; Fri, 27 May 2022 06:44:01 -0700 (PDT)
Received: from mail-qk1-x736.google.com (mail-qk1-x736.google.com [IPv6:2607:f8b0:4864:20::736]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 12B11C20D6FF for <acme@ietf.org>; Fri, 27 May 2022 06:44:00 -0700 (PDT)
Received: by mail-qk1-x736.google.com with SMTP id 135so4925516qkm.4 for <acme@ietf.org>; Fri, 27 May 2022 06:44:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhoundsoftware.com; s=google; h=user-agent:date:subject:from:to:cc:message-id:thread-topic :references:in-reply-to:mime-version; bh=+M3Oc5XjAuJmnK1xeyp+y3o3JKdOf648iLGxfjsOf8A=; b=G+P1Fg3DqbtBGSEoVrWrPWC/o4OyoGOlzbPobHl+HbFqxaynyPVLqsLNilHEEVvkZ8 RVwceKponKS9AAteOWLtt60fmeqZz2PLnWcfZWhANLi0CzJM3lVEK9VGb8fYngadIgCZ Lrr/97Hz7WGxaf/NRcaIcIi2lJTBgO8i7FCj0=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:user-agent:date:subject:from:to:cc:message-id :thread-topic:references:in-reply-to:mime-version; bh=+M3Oc5XjAuJmnK1xeyp+y3o3JKdOf648iLGxfjsOf8A=; b=hEHrYTOJcFCf1g236TfuBXUcLZ0aTtDOi7oP/OZO1lhLes3xizYlxct2KIHYmj6p1Q npy9I7pxq9iTnHyn8AyWUZJxvHfknDlZCupv7BdYReVQVxKw9QZmyVxmcQXmDRWUpgw7 CeMbeXGI90lQnMMF7sAPCsSxug6f5dQE2xVcXz7ACuPJojHowJXfZqz/h4qYwIJGPPvw 1l7tKuxmtuK+yYCliU3YNl1YC4otWPFgxlcilYc70wNn3d0ar/Cg+LiJck1hUJHioTsS sQOrxTz3c5szn/dTDSAewjYdopuZPMeOPrpeiwpwAwPEEqbSqseK3hLdrgYSZlxdOnLu 5DGA==
X-Gm-Message-State: AOAM532B6ZDzh7q68cSD2hj3fbi4iD6zOlYr6toY8HlkqY8i3bmwgW/t gUfprnP7a2wBX78Pewjboh9DIg==
X-Google-Smtp-Source: ABdhPJz8Rh9Pe5UpGQpu61cFS58CvJz1h5m699+LvBLRwReoOyKSs4bDUmqrsT0JvW8Vj8SvBvpnMQ==
X-Received: by 2002:a37:b105:0:b0:6a5:cb55:f810 with SMTP id a5-20020a37b105000000b006a5cb55f810mr3878738qkf.423.1653659039559; Fri, 27 May 2022 06:43:59 -0700 (PDT)
Received: from [192.168.2.16] (pool-173-66-88-168.washdc.fios.verizon.net. [173.66.88.168]) by smtp.gmail.com with ESMTPSA id b26-20020a05620a271a00b0069fe1fc72e7sm2781759qkp.90.2022.05.27.06.43.58 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 27 May 2022 06:43:58 -0700 (PDT)
User-Agent: Microsoft-MacOutlook/16.61.22050700
Date: Fri, 27 May 2022 09:43:57 -0400
From: Carl Wallace <carl@redhoundsoftware.com>
To: Russ Housley <housley@vigilsec.com>, Deb Cooley <debcooley1@gmail.com>, Dorothy E Cooley <decoole@radium.ncsc.mil>
CC: IETF ACME <acme@ietf.org>
Message-ID: <E81B9D37-ECB3-442D-8270-95DE68406D02@redhoundsoftware.com>
Thread-Topic: [Acme] WG Last Call for draft-ietf-acme-integrations-07
References: <CAGgd1OfQ6D-1GXkBHrSi3CvRZFqzvZaLCPz1mbKgUXij2=L6Ww@mail.gmail.com> <ACB2EC99-69D1-4294-8692-F9021C03C0DA@vigilsec.com>
In-Reply-To: <ACB2EC99-69D1-4294-8692-F9021C03C0DA@vigilsec.com>
Mime-version: 1.0
Content-type: multipart/alternative; boundary="B_3736489438_1532528996"
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/vsbhqc7bAN0u-71_-q5Y5pzz7Hk>
Subject: Re: [Acme] WG Last Call for draft-ietf-acme-integrations-07
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 May 2022 13:44:04 -0000

I’ll reply here to add one comment. The introduction of the potential for errors due to domains the RA is authorized for and those may be requested is not called out to any extent. It is likely something that is mostly addressed by authentication to the RA and could be noted as such in section 7.1.  Section 7.5 gets at the issue with the mapping for badIdentity, but it could be called out as something that occurs upon submission of request to the RA (vs mapping an ACME error back to the protocol of interest after failed interaction with the ACME server). 

 

From: Acme <acme-bounces@ietf.org> on behalf of Russ Housley <housley@vigilsec.com>
Date: Thursday, May 26, 2022 at 10:25 AM
To: Deb Cooley <debcooley1@gmail.com>, Dorothy E Cooley <decoole@radium.ncsc.mil>
Cc: IETF ACME <acme@ietf.org>
Subject: Re: [Acme] WG Last Call for draft-ietf-acme-integrations-07

 

I have a few comments.  Only one of them will be difficult to sort out.

 

Section 1, para 1: Please add a cite to [RFC5280] after "X.509 (PKIX) certificate".

 

Section 1, last para: Please reword.  Something like:

 

   Optionally, ACME for subdomains [I-D.ietf-acme-subdomains] offers a

   useful optimization when ACME is used to issue certificates for large

   numbers of devices; it reduces the domain ownership proof traffic as

   well as the ACME traffic overhead.  This is accomplished by completing

   a challenge against the parent domain instead of a challenge against

   each explicit subdomain. Use of ACME for subdomains is not a

   necessary requirement.

 

Section 2: Please add a reference for CSR.  Consider [RFC2986].

 

Section 2: Please add a reference for RA.  Consider [RFC5280].

 

Section 2: Please add a reference for TLV.  Consider [RFC7170].

 

Section 4: Please fix the markdown typo: Refer to section {csr-attributes} for more details.

 

Section 7.2 says:

 

   EST [RFC7030] is not clear on how the CSR Attributes response should

   be structured, and in particular is not clear on how a server can

   instruct a client to include specific attribute values in its CSR.

   [I-D.richardson-lamps-rfc7030-csrattrs] clarifies how a server can

   use CSR Attributes response to specify specific values for attributes

   that the client should include in its CSR.

 

   Servers MUST use this mechanism to tell the client what identifiers

   to include in CSR request. ...

 

This is a MUST, but is is not really nailed down.  Can we get to a simple MUST statement here?  If not, can we at least narrow the possibilities?

 

Section 7.2: s/The identifier must/The identifier MUST/

 

Section 7.3: s/certificate MAY be omitted from the chain/certificate SHOULD be omitted from the chain/

 

Section 7.3.2: Please provide references for PKCS#7 and PKCS#10.

 

Section 7.4: s/id-kp-cmcRA extended key usage bit/id-kp-cmcRA extended key usage OID/ (multiple places)

 

Russ

 



On May 26, 2022, at 6:58 AM, Deb Cooley <debcooley1@gmail.com> wrote:

 

Title:  ACME Integrations 

 

Authors: O.Friel, R.Barnes, R. Shekh-Yusef, M.Richardson

Datatracker: https://datatracker.ietf.org/doc/draft-ietf-acme-integrations/
This document outlines multiple advanced use cases and integrations that ACME facilitates without any modifications or 
enhancements required to the base ACME specification.  The use cases include ACMEintegration with EST, BRSKI and TEAP.

Please respond to this WG last Call by 9 June 2022.

For the ACME WG Chairs,
Deb

_______________________________________________
Acme mailing list
Acme@ietf.org
https://www.ietf.org/mailman/listinfo/acme

 

_______________________________________________ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme