Re: [Acme] [Last-Call] Artart telechat review of draft-ietf-acme-authority-token-tnauthlist-08
Francesca Palombini <francesca.palombini@ericsson.com> Tue, 30 November 2021 11:26 UTC
Return-Path: <francesca.palombini@ericsson.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DFF693A1222; Tue, 30 Nov 2021 03:26:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.801
X-Spam-Level:
X-Spam-Status: No, score=-2.801 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.701, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id E1YM-B0a8iy8; Tue, 30 Nov 2021 03:26:39 -0800 (PST)
Received: from EUR02-HE1-obe.outbound.protection.outlook.com (mail-eopbgr10086.outbound.protection.outlook.com [40.107.1.86]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0D2983A1221; Tue, 30 Nov 2021 03:26:38 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=OKYuoyYLXWPnivsQ1jd8Hs8xgWHRA26kmrtkmwR3gKC+JCsQoU9nn6I9/IWR21EUHT1/C1a/Jp7QFKRnDi2SfudLYTbvhzqHZSs3AOVSPz4GLHYqs5abh6B/ZRcBmK1MZAtzc7HdFwUrMeG7IVCpVpKuW3Au+JcLtn2kPvHXOMqCTwh8DG8EO61cMekyeQCvCKDgVQH3lIvtcS+0GmCqJNmDmmaWOK33LUt0DvpfkFwo7hJT1+O+4pV2hqW2BMKnt/tu0mTryUrEMbpisKBi1yxHLAcmp0SeudoyXDiFj9Jc1th4h6onZmtdj0/X2Q7Gh3n2cogIPrvUiMnw8VDQKQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=SS6HDSQNeUMKbPXuHrAUfz4j07WWGDlehnpl6pD+qsk=; b=Q3KqF5vdnHOS89uQ2cjmhplrHfvduJYOZoNdGVJFR03H+6gIMZf/RlgoOXDsIJd05MyauSXF5Cv40X4Kx8De/WU734LsKMwL6ODgIKP/IKkuhoENfkK+23ps4JRrlnYIX6t1ly9pJXY50/tjLndtpM59d6OfwJFZcznvozRmQ5DS7gf86HYcGP5Tmy6lW9uaW/5hRi8L9hR0MlKO1K8n8V89mY+uzmwomY97AsR5cp3ekfbCBMlW4O3u9/F4roBD7lXVk4UgbVx3fdgHrZT2SEK4ERzF2sxfTexPkGgiSMXmCewNdX/FkzhhkpY+JeQbc9KTNEs1r0iDkuYh3c50Hw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=SS6HDSQNeUMKbPXuHrAUfz4j07WWGDlehnpl6pD+qsk=; b=huE0SI/7WH0iw6jKC8ckfGy2nHwVgmckQ+kADA5bc19XFcDmrllw5o9LWqagIHAkEU/ImoucJHTIRfbuZIoBuJfI3J1icRIrj/mgws2zl4UuJa5CgucOJg7hl4xeB/NZEQEDkg25SIU312iI00DRmSLNA0NiGsMn1USXKevDzq0=
Received: from HE1PR07MB4217.eurprd07.prod.outlook.com (2603:10a6:7:96::33) by HE1PR07MB3401.eurprd07.prod.outlook.com (2603:10a6:7:2d::28) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4755.12; Tue, 30 Nov 2021 11:26:33 +0000
Received: from HE1PR07MB4217.eurprd07.prod.outlook.com ([fe80::cdd0:1e2:cd0b:790f]) by HE1PR07MB4217.eurprd07.prod.outlook.com ([fe80::cdd0:1e2:cd0b:790f%7]) with mapi id 15.20.4755.011; Tue, 30 Nov 2021 11:26:33 +0000
From: Francesca Palombini <francesca.palombini@ericsson.com>
To: Sean Turner <sean+ietf@sn3rd.com>, "art@ietf.org" <art@ietf.org>
CC: "draft-ietf-acme-authority-token-tnauthlist.all@ietf.org" <draft-ietf-acme-authority-token-tnauthlist.all@ietf.org>, "last-call@ietf.org" <last-call@ietf.org>, "acme@ietf.org" <acme@ietf.org>
Thread-Topic: [Last-Call] Artart telechat review of draft-ietf-acme-authority-token-tnauthlist-08
Thread-Index: AQHX5aDnd0Td8guyokmqNHl+m2bbSawb7pqT
Date: Tue, 30 Nov 2021 11:26:33 +0000
Message-ID: <HE1PR07MB421780BB0936E76BDD7E1BE298679@HE1PR07MB4217.eurprd07.prod.outlook.com>
References: <163824567984.24703.12427292918154139710@ietfa.amsl.com>
In-Reply-To: <163824567984.24703.12427292918154139710@ietfa.amsl.com>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ericsson.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: c48d2981-3eb1-480b-d26e-08d9b3f44355
x-ms-traffictypediagnostic: HE1PR07MB3401:
x-microsoft-antispam-prvs: <HE1PR07MB3401D3EBA555893B779D3B9798679@HE1PR07MB3401.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:4714;
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: Kl0dBui1MbPRGb5hiq8HpLFZRhom5tJZfNqnG+O72+FS3xDcsgN9M6AMZckiDoqXl1JvcZiEoLH6aiBjt58GOoSoMvbSAtlKOemBwKgGzl9cDFtiBP+/8CKhkc8SDr22aLx/WN1FoKyaASmxM+yVqCarcszYcMbrzi5q2y8FJ5xr1aZwSOc/+M2k1PrNedX6jlNc8k3lUJnpkeIeicQ1qiFYuWumoDN9LC38PpF2Ja/CtkPpMYkVUQ/Z802PzfsUTnR4pzVq8qj5pZUNNIdKneP89cLYMj8NGiO3iQZCdeHxV2zIq1QZmOS1feDBvtgZYUZ+jGiWxa3nv3lNxGB9HTvANitdcqgLbXc4WxObuze2U5myzw0O7lmBN0WKlHahbQpgiLLxpVA97MXzNDBEraKOQF/wYS4ovVUGA7JuO0rivK+0Ih74KGAlVHOHEEcxUSOVslf63Z6Xo0masCUYgd4Q+3N8MnxSQn64Bj94Ghp13aCDo/FyrMXkRNgfi00m6LPvX7qgrM9lAnTkjbq0dkL+f3qNrhcsrLHSuQM9oBTgU77kYQVW+P2Oyg5hWRRdtmEggDTnfmiJLDG3UlNoLS02/icS48zgb/efR7MnHcYhc5xowsap4/4dd4AIXi+scPje8hZOHEJB6Fms9m9OIqIheBqtpwDlLaNz3GdmmCa9gF4uJlBjFgq4F/R7FlEyJflObyUibp3Lo01SovUz6TduGRNZvxgfyMmRnAudQsS6H8jKTT4pcsykLgoFYWcdPne8Ndv/TNwKwg7jVgXVGFS+xRnvEk8cuxhzA++DlV8=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR07MB4217.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(55016003)(186003)(44832011)(8936002)(54906003)(33656002)(71200400001)(86362001)(110136005)(7696005)(508600001)(9686003)(5660300002)(4326008)(966005)(52536014)(8676002)(6506007)(53546011)(66476007)(38070700005)(66556008)(76116006)(64756008)(66946007)(316002)(166002)(2906002)(66446008)(122000001)(82960400001)(83380400001)(38100700002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 2
x-ms-exchange-antispam-messagedata-0: fG7cnfYql4qMIST1q687huXb0pw2oLvLPOUUTtzlEVrlnFNuJrhzwJH7CloMN4HhwvspC1Ps4S0lDECc9MVmP/LwIfYP4E3P2pb3cy9bCqlMH+WvJHRNhn0vEvgumb7IukAMC/zBoFZ8GEzzvU6OqJ99t9L/7MzfLyQhXiLZXisn/8ddvC1G6aa2kDX1lJVGh6Xdjd3CUUCQfQFTioCxqq4eoDdrZ09HQ0m6DwHUxe8Tmfhg8dfG+Ansm0K3SxzgdUnJCGv6KmymXiKlh74D0xaK5v6jR1IvZ55rYsB7HzfqOzxhgawH921UaYVMfPuzN3OJHjZcRot6NuWM3jskmi5QHAMOOG/zwesM1t6vNn0uuDGwIxp3cFFigx5guwfCNXWN6SZsDmdpTODItgdMCCFBP0URjKUIwKfr3wXxUgvn9xeQhS153bZB74J+LzAvDmfYbIdyycdxzoTzfe/nAvcuuY/MrOwmLiYDKKOJ3NrnSsaAk3pEiM4QYY50kS94DrvwiTkIGAs5F2vdlb2sScHG6OaKCCUp8c+iEi7Eauu3sR7EmKipU+3awiu2eI8QeIh4gvcT8gM+Nz8v8obY35oUlsRW+oymma6YOStUWhrPkTtpzUr1Yzz43XVhXQWaUg4632vN/tUtnt1JsDrajxGxgDeloDoTH3AYKZavVvu5q8BeRIHRhiK4/ycJQpHNgrRSINzjQiFkFLXFu6xKubQybmJsp4c4SeGHK+jz1mVoEC7dwRARF41sLOiD0UlM9sBqzyuQIh9F/xmhK3JW1jmx5Mt4lnIXMsf+oypbwUrIfxa7VktKsS8FwwjWFMeIenlbD3SwYd9ohX039fiYuK2hB72W/+xXyGrDdxjqD0RPlGKVE3D6BS3i6MwFRJDspwP21bYsnL2jdmqhtwfs+oXxpgGME0u6+xobz3rKZZb9TU+QvBiviFuynJE243RQtTz3WrbOVVYikXUt13FyIIwJHud02iJOyPL8xbnfurASj9AkvgPe3zSjm3Xi7nboz3+qc5B4RjG8ZBIH/nKvUaDgtlqzIDWm5loE8uEPZXl8zHISUhUByOwzN5WRgR4JGH+9WLdluIK3wt/ww3t382t5LH2OiZ6L5SfLbs1J+NSBnByrZsQvwbbMGSBzrToQ4Kuo/0CN9Qs6jodqtNAazQqiQ/51izYAvh6KmNNUYaTeIEVfUdjnsOznE5s2HZriLdClNf8tHgDDAjwBJ1nU12jNL+bz0uEufMbjaol/ZJ+CUK+QiQbUo/CUdgcMvWhiahnKX4qRYquY6owtoLV8VLstzeZUGv1oO1CCHw/tVbPfFX5QKD/GBlMrXdxmCZ9XUQ8luFCzUnF9gj2E1Lo+w8d6ES4VjtQFBYksWsa1ew3VffAUrBrONemluc0DeWYGKierPf07HfR5LEsEYQqbS4JNwiaYxUpYNyo93CsAnse/X8o+FaF1HoJndF2Rr9X4+qAHi9KLn3aekdLn+xvcDmgUDWCCTzvwn7AciS4/WLZLhXffHwLLzOGKLwq1GbDbHyz1vCTMmbV34kSm/R3FuI0fKWb8bTeg22ydzf7CSLlxNQNqvqKp7aEzlEdE3RLKAc2ZHNS9OMwE3kN8LUAmZ0DZR+RYTVZK9QzbLuXReJUGqGGWNZd42VVamiXoNTUGJQILrjHWLWu4NH8bHV54AcwlvsT5UYRcrMb3Y02dYx6ZJ6htuvZwc0gmH+B5SzRN+OUdZcPBH5DXAX2EjB3562Jjll2YoA79kyoTKpIwe3VPrJ2uorLi7TNu0VTrLS9DChVcDOnh
x-ms-exchange-antispam-messagedata-1: RoJG0ATdD50yNVheqQVSBUPmjruYTREwo98=
Content-Type: multipart/alternative; boundary="_000_HE1PR07MB421780BB0936E76BDD7E1BE298679HE1PR07MB4217eurp_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: HE1PR07MB4217.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: c48d2981-3eb1-480b-d26e-08d9b3f44355
X-MS-Exchange-CrossTenant-originalarrivaltime: 30 Nov 2021 11:26:33.1426 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 9segnwLcuIwNVOFzQvqNmcPwH1KUoAK++OjmicEZbMQFRAlBGHU1zZ43IXZ+cBy/pVrdJ8DrSgR+D1L3cgha6aM37KpQiVAfeQQFYb4b3b5vv56t+XxDBRiM0twvAFEW
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR07MB3401
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/w-Mldx3E4YUa-HykDraI1LUDa9k>
Subject: Re: [Acme] [Last-Call] Artart telechat review of draft-ietf-acme-authority-token-tnauthlist-08
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Nov 2021 11:26:45 -0000
Thank you very much Sean! Great points, I balloted DISCUSS as these should be fixed before the document is moved forward, and will be looking out for the authors and wg’s answers. Francesca From: last-call <last-call-bounces@ietf.org> on behalf of Sean Turner via Datatracker <noreply@ietf.org> Date: Tuesday, 30 November 2021 at 05:15 To: art@ietf.org <art@ietf.org> Cc: draft-ietf-acme-authority-token-tnauthlist.all@ietf.org <draft-ietf-acme-authority-token-tnauthlist.all@ietf.org>, last-call@ietf.org <last-call@ietf.org>, acme@ietf.org <acme@ietf.org> Subject: [Last-Call] Artart telechat review of draft-ietf-acme-authority-token-tnauthlist-08 Reviewer: Sean Turner Review result: Ready with Issues Hi! 2nd ARTART review so I am not sure I am yet attuned to all the ART hot buttons. Drawing on the times I have been through the ARTART process as an I-D author ;) ADs NOTE: I picked "Ready with Issues" because, while my comments seem long, I do not think any of the things that I noted are insurmountable but they non-nits are worthy of a response. 0) I found some problems with the JSON in this I-D: ASIDE: It seems perfectly okay to have “base64url({foo})” in the JSON; RFC 8739s and 9115 do. But, validators won't return a valid check for the JSON examples (at least not the validators I used). I did get them to return valid after I made the corrections below and then ran the validate twice. Once for the foo and for the rest by replacing base64url({foo}) with "". A pain but it did uncover: 0.a) s3, 1st and 2nd examples (missing closing " on type: OLD: {"type:"TNAuthList", NEW: {"type":"TNAuthList", 0.b) s4, 1st example (drop ,): OLD: "url": "https://example.com/acme/authz/1234", NEW: "url": "https://example.com/acme/authz/1234" 0.c) s4, 2nd example (add “) OLD: {"type:"TNAuthList", NEW: {"type":"TNAuthList", 0.3) s4, 2nd example (add ,) OLD: "url": "https://boulder.example.com/authz/asdf/0" NEW: "url": "https://boulder.example.com/authz/asdf/0", 0.44) s5.4, quote the URL: OLD: "x5u":https://protect2.fireeye.com/v1/url?k=848acae2-db11f3e7-848a8a79-86d2114eab2f-1d2b6327a9ee43b5&q=1&e=1964e0ec-af8b-4226-9ec3-22ebc0dbc063&u=https%3A%2F%2Fauthority.example.org%2Fcert NEW: "x5u":"https://protect2.fireeye.com/v1/url?k=9ab17434-c52a4d31-9ab134af-86d2114eab2f-1ece6dcafafe9403&q=1&e=1964e0ec-af8b-4226-9ec3-22ebc0dbc063&u=https%3A%2F%2Fauthority.example.org%2Fcert" 1) base64 reference/encoding: 1.a) RFC 4648 defines a number of alphabets. I assume that you are referring to the “Base 64 Encoding with URL and Filename Safe Alphabet” because you use base64url in the JSON? I think you need to make this clear. You maybe could steal the text from RFC 8555 (and yeah this is wordy): OLD: The format of the string that represents the TNAuthList MUST be constructed as a base64 [RFC4648] encoding of the TN Authorization List certificate extension ASN.1 object. New: The format of the string that represents the TNAuthList MUST be constructed as a base64url encoding, as per [RFC8555] base64url encoding is described in Section 5 of RFC4648 [RFC4648] according to the profile specified in JSON Web Signature in Section 2 of [RFC7515] , of the TN Authorization List certificate extension ASN.1 object. 1.b) Assuming that you are using the URL safe format, I would suggest updating the references in the text to “base64” match the examples that use base64url: 1.b.0) s3, 3rd para: OLD: base64 encoded string. NEW: base64url encoded string. 1.c.1) s5.4, 2nd bullet: OLD: base64 encoded NEW: base64url encoded 1.c.2) s5.5, 3rd to last para: OLD: base64 encoded NEW: base64url encoded 1.c.3) s6, 5th bullet: OLD: equivalent base64 encoded NEW: equivalent base64url encoded 1.c) You will note in the requirement RFC 8555 that trailing "=" be stripped and encoded values that trailing = MUST be rejected. The identifiers in s3, the identifier in s4, and tkvalue in s5.4 and s5.5 include "=". Is the JSON wrong or is padding included? 2) s5.1-3: It seems like you need a normative reference to RFC 7519 for the iss, exp, and jti claims. 3) s5.4: fingerprint 3.a) So this specification defines fingerprint. Then locks in SHA256 and says the number of bytes is defined by the hash function. Since you locked in SHA256, why don’t you just say it MUST be 32 bytes? I guess I am a little confused how one would support a different algorithm in the future. 3.b) Was there any thought to providing more than one fingerprint (certificates sometimes do)? I.e., would it be better to be an array of two fields: "fingerprint":" [{alg=“SHA256”, value= “56:3E:CF:AE:83:CA:4D:15:B0:29:FF:1B:71:D3:BA:B9:19:81:F8:50:9B:DF:4A:D4:39:72:E2:B1:F0:B9:38:E3”}] NITS: 0) In s1, s/Certification Authority/Certification Authority (CA) to abbreviate CA on 1st use. CA is used lated but there is no abbreviation provided elsewhere in the I-D. 1) s5.4 1st para includes the following: It contains a JSON object of three elements. What follows is four bullets. Maybe just future proof it by "It contains a JSON object with the following elements:" 2) s5.5, please expand CSP on 1st use. 3) s5.5, last para: s/should/SHOULD 4) s5.6, please expand SPC, OCN, and SPID on 1st use. 5) s6, last bullet: uses “CSR request”, but elsewhere it’s been “new-order” should you use that here too for consistency. If not the R is CSR is request so you can drop request after expanding CSR ;) 6) Shouldn't the RFC 2119 reference be normative? >From ID-NITS: == Outdated reference: A later version (-07) exists of draft-ietf-acme-authority-token-05 == Outdated reference: draft-ietf-stir-cert-delegation has been published as RFC 9060 -- last-call mailing list last-call@ietf.org https://www.ietf.org/mailman/listinfo/last-call
- [Acme] Artart telechat review of draft-ietf-acme-… Sean Turner via Datatracker
- Re: [Acme] [Last-Call] Artart telechat review of … Francesca Palombini