IETF Logo Mail Archive

Re: [auth48] [E] Re: AUTH48: RFC-to-be 9538 <draft-ietf-cdni-delegation-acme-04> for your review

"Mishra, Sanjay" <sanjay.mishra@verizon.com> Wed, 07 February 2024 18:44 UTC

Return-Path: <sanjay.mishra@verizon.com>
X-Original-To: auth48archive@ietfa.amsl.com
Delivered-To: auth48archive@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D2098C151075 for <auth48archive@ietfa.amsl.com>; Wed, 7 Feb 2024 10:44:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.101
X-Spam-Level:
X-Spam-Status: No, score=-2.101 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verizon.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5zFM1QhY_UCq for <auth48archive@ietfa.amsl.com>; Wed, 7 Feb 2024 10:44:42 -0800 (PST)
Received: from mx0a-0024a201.pphosted.com (mx0a-0024a201.pphosted.com [148.163.149.93]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CD9D0C14F609 for <auth48archive@rfc-editor.org>; Wed, 7 Feb 2024 10:44:42 -0800 (PST)
Received: from pps.filterd (m0102825.ppops.net [127.0.0.1]) by mx0a-0024a201.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 417GQVqZ029301 for <auth48archive@rfc-editor.org>; Wed, 7 Feb 2024 13:44:42 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=verizon.com; h=mime-version : references : in-reply-to : from : date : message-id : subject : to : cc : content-type; s=prodmail; bh=nSun7CSNaWSey/O31oBLDLklDYpI74h9XYiq0WX5JVY=; b=KNduLuAzkwMZ63h4gUMF7UvNfpZmRt1jJsGVaF6STD859xOCMN0Zde2/zxePnMrSBO6A nFViaOuI2I5SFA/50IUvFJdtpGZWOu3kBgFntHZTpWRojqyqilfec+gmXM8M9HAcP4py NMdd/7Kq9oJfBtURTREjEnmUmFNQvjJUs1cuqdgsn4TmAYlDAIvrGoQwt/FhjfQ3wlPw AgxjLzLYHrULp4ERWWJeW4uQjKm/bdJwxWyDMM645UfoB4ajAxucBWyuCCFzH4DPu2K8 A1sAbaxdc10V2WE9l60X4aJKjC+O1R0/B2c2HHoIZXlgkVexmvLkUXPDExRhL31bpIFn mQ==
Received: from mail-ua1-f72.google.com (mail-ua1-f72.google.com [209.85.222.72]) by mx0a-0024a201.pphosted.com (PPS) with ESMTPS id 3w3uh6kj3a-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for <auth48archive@rfc-editor.org>; Wed, 07 Feb 2024 13:44:41 -0500
Received: by mail-ua1-f72.google.com with SMTP id a1e0cc1a2514c-7cef6c44e40so636685241.0 for <auth48archive@rfc-editor.org>; Wed, 07 Feb 2024 10:44:41 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1707331480; x=1707936280; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=nSun7CSNaWSey/O31oBLDLklDYpI74h9XYiq0WX5JVY=; b=PTrwn6e/RtP/jhpL/DIY3yMC+yns4a9bOE9RrlD4/K89e18GYCB2EksdQmQyDAK/oc IHlU/K4i6sgurT/Eqm4nFwtlSu2nKzBo/1lthfmWvVTxmU+0Bj9rXlPklobh1Ar5Azsf 9dkb2GMZby+vr8c7PI2MAdPVgDPWcUyXaUxKy6lG+6GInSrLVJehYuCVXusS5Knr2nxi +xK5XVbdp5z054Eq1G+vT43zGQ+bk51YUJsiZn31kvbxH1qwhJkw6FJFOjvL0HfxwC2Q swchESM4zYRpa29Tjfi06w1q0TFCM8Dw/P3FbpGyXErT/hX/TAkSjJoR75KCGeB9oTkB nTUA==
X-Forwarded-Encrypted: i=1; AJvYcCWfLQxl8/49QA1gCeu3yL+rmEX47QUAI3IWsjdSU+ApwTSGD+RwZz1dw1D+MJwqaeG6zSCqTdHxIBiUni+XIcy5dIL9FsUpyMI/jdLy
X-Gm-Message-State: AOJu0YxujK+kY/Ips+9x/aqVYXEGr1G158uQNKLtWD+dfIkKDhvIL0pH dDxu6arsL3RZYG6iF7nzNoflNhbtC/fDpE+VhAYmnGTzpZzFfKdhufpA30RQPjtxfYplqKwl6qc FbUnoDVKxoQpSM3dhi0BfC/cKyJfS8mFwoElrB+uH9rrfIQX0iXgdB9+2v3o1NqNFSd1Z14CDCO 8+8T+JFQ/rIFC54jqPrpvfAzEEsRxSYdexm+Y=
X-Received: by 2002:a05:6102:3906:b0:46d:5e31:166a with SMTP id e6-20020a056102390600b0046d5e31166amr1500vsu.25.1707331479723; Wed, 07 Feb 2024 10:44:39 -0800 (PST)
X-Google-Smtp-Source: AGHT+IEz1a5ZNDd9ehxCrYohGUscziJfr1pyFb6XTfCnxoq7wD2c+DUkNEXiXlx8Yk8qlg7Z6rOIrFcoI9eVekvlvGM=
X-Received: by 2002:a05:6102:3906:b0:46d:5e31:166a with SMTP id e6-20020a056102390600b0046d5e31166amr1477vsu.25.1707331479175; Wed, 07 Feb 2024 10:44:39 -0800 (PST)
MIME-Version: 1.0
References: <20240123065751.D786E199610A@rfcpa.amsl.com> <7566767A-2661-462A-AE1B-2E225ACAA0D7@amsl.com> <CA+EbDtCSsAe6M=jW5NfXwpWkBPO2CLBuVmxFwM2ZB5sF+jXSGg@mail.gmail.com> <3DD85FCC-090F-4401-A6CF-640E966C749F@amsl.com> <CA+EbDtAnf19sMORx4L7mip4Qq-uPT4Vn4gFV37dbhRss-AJfQA@mail.gmail.com> <66619CC6-A66B-443F-B798-D5D04E4E0A01@amsl.com>
In-Reply-To: <66619CC6-A66B-443F-B798-D5D04E4E0A01@amsl.com>
From: "Mishra, Sanjay" <sanjay.mishra@verizon.com>
Date: Wed, 07 Feb 2024 13:44:27 -0500
Message-ID: <CA+EbDtDWZDcN3YYr=zOLBbwJi-q+jijTt+4SV4Kz2qw04oyTLA@mail.gmail.com>
To: Alice Russo <arusso@amsl.com>
Cc: "Mishra, Sanjay" <sanjay.mishra=40verizon.com@dmarc.ietf.org>, frederic.fieau@orange.com, emile.stephan@orange.com, francesca.palombini@ericsson.com, cdni-ads@ietf.org, cdni-chairs@ietf.org, kevin.j.ma.ietf@gmail.com, rfc-editor@rfc-editor.org, auth48archive <auth48archive@rfc-editor.org>
Content-Type: multipart/alternative; boundary="00000000000054af5b0610cf16a8"
X-mailroute: internal
X-Proofpoint-GUID: 7rY5ZFU852rVx4wbdzJp4tqVWneAB0fD
X-Proofpoint-ORIG-GUID: 7rY5ZFU852rVx4wbdzJp4tqVWneAB0fD
Archived-At: <https://mailarchive.ietf.org/arch/msg/auth48archive/9ToTHDUwIKC4tiempQL8fcnYBIY>
Subject: Re: [auth48] [E] Re: AUTH48: RFC-to-be 9538 <draft-ietf-cdni-delegation-acme-04> for your review
X-BeenThere: auth48archive@rfc-editor.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Archiving AUTH48 exchanges between the RFC Production Center, the authors, and other related parties" <auth48archive.rfc-editor.org>
List-Unsubscribe: <https://mailman.rfc-editor.org/mailman/options/auth48archive>, <mailto:auth48archive-request@rfc-editor.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/auth48archive/>
List-Post: <mailto:auth48archive@rfc-editor.org>
List-Help: <mailto:auth48archive-request@rfc-editor.org?subject=help>
List-Subscribe: <https://mailman.rfc-editor.org/mailman/listinfo/auth48archive>, <mailto:auth48archive-request@rfc-editor.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Feb 2024 18:44:46 -0000

Hi Alice - My response is embedded below:

Section 5 (Security Considerations)
> ORIGINAL:
>    The reader is expected to understand the ACME delegation trust model
>    (Section 7.1 of [RFC9115]) and security goal (Section 7.2 of
>    [RFC9115]), in particular the criticality around the protection of
>    the user account associated with the delegation, which authorizes all
>    the security relevant operations between dCDN and uCDN over the ACME
>    channel.
>
> CURRENT:
>    The reader is expected to understand the ACME delegation trust model
>    (Section 7.1 of [RFC9115]) and security goal (Section 7.2 of
>    [RFC9115]).  In particular, the reader is expected to understand that
>    it is critical to protect the user account associated with the
>    delegation; this account authorizes all the security-relevant
>    operations between a dCDN and a uCDN over the ACME channel.


I approve the updated text as shown under the heading "CURRENT:".

Thank you
Sanjay

On Wed, Feb 7, 2024 at 1:29 PM Alice Russo <arusso@amsl.com> wrote:

> Sanjay,
> Thank you for your reply; we have updated the document accordingly.
>
> FYI, in addition to the update in #4, we have changed "the criticality
> around the protection of" to "that it is critical to protect the"; this
> text is shown below and in the files. Please review.
>
> Section 5 (Security Considerations)
> ORIGINAL:
>    The reader is expected to understand the ACME delegation trust model
>    (Section 7.1 of [RFC9115]) and security goal (Section 7.2 of
>    [RFC9115]), in particular the criticality around the protection of
>    the user account associated with the delegation, which authorizes all
>    the security relevant operations between dCDN and uCDN over the ACME
>    channel.
>
> CURRENT:
>    The reader is expected to understand the ACME delegation trust model
>    (Section 7.1 of [RFC9115]) and security goal (Section 7.2 of
>    [RFC9115]).  In particular, the reader is expected to understand that
>    it is critical to protect the user account associated with the
>    delegation; this account authorizes all the security-relevant
>    operations between a dCDN and a uCDN over the ACME channel.
>
> The revised files are here (please refresh):
>
> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.rfc-2Deditor.org_authors_rfc9538.html&d=DwIFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=XniVbishGiO2Ao9hKqSc-hTVIWCi3T-x6GdHR4ZTgoM&m=_eC8KjZOk1YId1fkVvAsVysA35JB3U7OmhLa-AmUzzOxeU4SxVw76JWIcuNoI7mw&s=E0Q8NM6I8ufQHDRhTm8_VeImKZJNrHkjxJInRWSCBtE&e=
>
> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.rfc-2Deditor.org_authors_rfc9538.txt&d=DwIFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=XniVbishGiO2Ao9hKqSc-hTVIWCi3T-x6GdHR4ZTgoM&m=_eC8KjZOk1YId1fkVvAsVysA35JB3U7OmhLa-AmUzzOxeU4SxVw76JWIcuNoI7mw&s=v9FTF2kQ7z6fqEBstv4mq5xN3Ru3v1U4m6zf4RGRSYc&e=
>
> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.rfc-2Deditor.org_authors_rfc9538.pdf&d=DwIFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=XniVbishGiO2Ao9hKqSc-hTVIWCi3T-x6GdHR4ZTgoM&m=_eC8KjZOk1YId1fkVvAsVysA35JB3U7OmhLa-AmUzzOxeU4SxVw76JWIcuNoI7mw&s=p1rEiF-o7SG2ZBTAy9uqAneR6K67l9FHLHMLlx-Kba8&e=
>
> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.rfc-2Deditor.org_authors_rfc9538.xml&d=DwIFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=XniVbishGiO2Ao9hKqSc-hTVIWCi3T-x6GdHR4ZTgoM&m=_eC8KjZOk1YId1fkVvAsVysA35JB3U7OmhLa-AmUzzOxeU4SxVw76JWIcuNoI7mw&s=qvzEYEAlql0snTgBwuJwK7iEinYdUFvCxiJGj0cbRhk&e=
>
> This diff file shows all changes from the approved I-D:
>
> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.rfc-2Deditor.org_authors_rfc9538-2Ddiff.html&d=DwIFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=XniVbishGiO2Ao9hKqSc-hTVIWCi3T-x6GdHR4ZTgoM&m=_eC8KjZOk1YId1fkVvAsVysA35JB3U7OmhLa-AmUzzOxeU4SxVw76JWIcuNoI7mw&s=bwF_Xs_TLLrud7_ElXMop1z4rwrqnoVaiR5RXnWHZzA&e=
>
> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.rfc-2Deditor.org_authors_rfc9538-2Drfcdiff.html&d=DwIFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=XniVbishGiO2Ao9hKqSc-hTVIWCi3T-x6GdHR4ZTgoM&m=_eC8KjZOk1YId1fkVvAsVysA35JB3U7OmhLa-AmUzzOxeU4SxVw76JWIcuNoI7mw&s=BqSehRro2UUPIDvoNlbyf4cOUmtsufrPvZR9D5wxtuY&e=
> (side by side)
>
> This diff file shows the changes made during AUTH48 thus far:
>
> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.rfc-2Deditor.org_authors_rfc9538-2Dauth48diff.html&d=DwIFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=XniVbishGiO2Ao9hKqSc-hTVIWCi3T-x6GdHR4ZTgoM&m=_eC8KjZOk1YId1fkVvAsVysA35JB3U7OmhLa-AmUzzOxeU4SxVw76JWIcuNoI7mw&s=6u-wQ70ZCGxlnRoWTz4HyI9wAqoXlOeayWT-5-h74Sw&e=
>
> We will wait to hear from you again and from E. Stephan
> before continuing the publication process. This page shows
> the AUTH48 status of your document:
>
> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.rfc-2Deditor.org_auth48_rfc9538&d=DwIFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=XniVbishGiO2Ao9hKqSc-hTVIWCi3T-x6GdHR4ZTgoM&m=_eC8KjZOk1YId1fkVvAsVysA35JB3U7OmhLa-AmUzzOxeU4SxVw76JWIcuNoI7mw&s=ZbxziP9AHqv7JJep4ZIZe0hlCIvtuEdtrznS5wvMNuE&e=
>
> Thank you.
> RFC Editor/ar
>
> > On Feb 7, 2024, at 9:31 AM, Mishra, Sanjay <sanjay.mishra=
> 40verizon.com@dmarc.ietf.org> wrote:
> >
> > Hi Alice - Thank you and please see response below for the 4 questions:
> >
> > 1) <!--[rfced] May this be rephrased as follows for readability?
> >
> > Original:
> >    RFC9115 allows delegating entities to remain in
> >    full control of the delegation and be able to revoke it any time and
> >    this avoids the need to share private cryptographic key material
> >    between the involved entities.
> >
> > Perhaps:
> >    Per RFC 9115, delegating entities can remain in
> >    full control of the delegation and can revoke it at any time.
> >    This avoids the need to share private cryptographic key material
> >    between the involved entities.
> > -->
> > Yes, I approve the new wording as suggested above
> >
> >
> >
> > 2) <!--[rfced] FYI, in Section 1.1, we added mention of "STAR" so that it
> > is expanded upon first use. Please let us know if you prefer otherwise.
> > (In the original, the first use was in Section 3 - "ACME STAR delegation"
> > was followed by explanation but was without a direct expansion.)
> >
> > Original:
> >    It also uses
> >    terminology from Section 1.2 of [RFC8739] and Section 1.1 of
> >    [RFC9115].
> >
> > Current:
> >    It also uses
> >    terminology from Section 1.2 of [RFC8739] and Section 1.1 of
> >    [RFC9115], including Short-Term, Automatically Renewed (STAR),
> >    as applied to X.509 certificates.
> > -->
> >
> > Yes, I approve of the new wording as above.
> >
> > 3) <!--[rfced] How may this sentence be rephrased for clarity? In
> particular,
> > "allows to specify" is not clear. Also, Section 2.3.1.3 of RFC 9115
> > indicates that the CNAME mapping is optional; should this sentence be
> > updated to reflect that?
> >
> > Original:
> >       |   Note: The delegation object defined in Section 2.3.1.3 of
> >       |  [RFC9115] only allows to specify DNS mappings using CNAME RRs.
> >
> > Perhaps:
> >       |   Note: The delegation object defined in Section 2.3.1.3 of
> >       |  [RFC9115] only allows DNS mappings to be specified using CNAME
> RRs.
> >
> > Yes, I approve the above wording as suggested
> >
> > Or:
> >       |   Note: The delegation object defined in Section 2.3.1.3 of
> >       |  [RFC9115] allows DNS mappings to be specified using only CNAME
> RRs.
> > -->
> >
> >
> > 4) <!--[rfced] FYI, for readability and precision, we have made the
> following
> > updates: split this into two sentences, changed "criticality around"
> > to "criticality of", and changed "which" to "this account".
> > Please review and let us know if you prefer otherwise.
> >
> > Original:
> >    The reader is expected to understand the ACME delegation trust model
> >    (Section 7.1 of [RFC9115]) and security goal (Section 7.2 of
> >    [RFC9115]), in particular the criticality around the protection of
> >    the user account associated with the delegation, which authorizes all
> >    the security relevant operations between dCDN and uCDN over the ACME
> >    channel.
> >
> > Current:
> >    The reader is expected to understand the ACME delegation trust model
> >    (Section 7.1 of [RFC9115]) and security goal (Section 7.2 of
> >    [RFC9115]).  In particular, the reader is expected to understand the
> >    criticality of the protection of the user account associated with the
> >    delegation; this account authorizes all the security-relevant
> >    operations between a dCDN and a uCDN over the ACME channel.
> >
> > Yes, I approve of the suggested text.
> >
> > Thank you very much
> > Best
> > Sanjay
> >
> > On Wed, Feb 7, 2024 at 12:17 PM Alice Russo <arusso@amsl.com> wrote:
> > Authors,
> >
> > Sanjay, thank you for your reply and for letting us know about
> Frederic's reply to the CDNI mailing list.
> >
> > Please reply to the 4 questions below regarding changes to the text.
> >
> > The edited document is here:
> >
> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.rfc-2Deditor.org_authors_rfc9538.html&d=DwIFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=XniVbishGiO2Ao9hKqSc-hTVIWCi3T-x6GdHR4ZTgoM&m=_eC8KjZOk1YId1fkVvAsVysA35JB3U7OmhLa-AmUzzOxeU4SxVw76JWIcuNoI7mw&s=E0Q8NM6I8ufQHDRhTm8_VeImKZJNrHkjxJInRWSCBtE&e=
> >
> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.rfc-2Deditor.org_authors_rfc9538.pdf&d=DwIFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=XniVbishGiO2Ao9hKqSc-hTVIWCi3T-x6GdHR4ZTgoM&m=_eC8KjZOk1YId1fkVvAsVysA35JB3U7OmhLa-AmUzzOxeU4SxVw76JWIcuNoI7mw&s=p1rEiF-o7SG2ZBTAy9uqAneR6K67l9FHLHMLlx-Kba8&e=
> >
> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.rfc-2Deditor.org_authors_rfc9538.txt&d=DwIFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=XniVbishGiO2Ao9hKqSc-hTVIWCi3T-x6GdHR4ZTgoM&m=_eC8KjZOk1YId1fkVvAsVysA35JB3U7OmhLa-AmUzzOxeU4SxVw76JWIcuNoI7mw&s=v9FTF2kQ7z6fqEBstv4mq5xN3Ru3v1U4m6zf4RGRSYc&e=
> >
> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.rfc-2Deditor.org_authors_rfc9538.xml&d=DwIFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=XniVbishGiO2Ao9hKqSc-hTVIWCi3T-x6GdHR4ZTgoM&m=_eC8KjZOk1YId1fkVvAsVysA35JB3U7OmhLa-AmUzzOxeU4SxVw76JWIcuNoI7mw&s=qvzEYEAlql0snTgBwuJwK7iEinYdUFvCxiJGj0cbRhk&e=
> (source)
> >
> > Diff files of all changes from the approved Internet-Draft:
> >
> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.rfc-2Deditor.org_authors_rfc9538-2Ddiff.html&d=DwIFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=XniVbishGiO2Ao9hKqSc-hTVIWCi3T-x6GdHR4ZTgoM&m=_eC8KjZOk1YId1fkVvAsVysA35JB3U7OmhLa-AmUzzOxeU4SxVw76JWIcuNoI7mw&s=bwF_Xs_TLLrud7_ElXMop1z4rwrqnoVaiR5RXnWHZzA&e=
>
> >
> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.rfc-2Deditor.org_authors_rfc9538-2Drfcdiff.html&d=DwIFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=XniVbishGiO2Ao9hKqSc-hTVIWCi3T-x6GdHR4ZTgoM&m=_eC8KjZOk1YId1fkVvAsVysA35JB3U7OmhLa-AmUzzOxeU4SxVw76JWIcuNoI7mw&s=BqSehRro2UUPIDvoNlbyf4cOUmtsufrPvZR9D5wxtuY&e=
> (side by side)
> >
> > This page shows the AUTH48 status of your document:
> >
> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.rfc-2Deditor.org_auth48_rfc9538&d=DwIFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=XniVbishGiO2Ao9hKqSc-hTVIWCi3T-x6GdHR4ZTgoM&m=_eC8KjZOk1YId1fkVvAsVysA35JB3U7OmhLa-AmUzzOxeU4SxVw76JWIcuNoI7mw&s=ZbxziP9AHqv7JJep4ZIZe0hlCIvtuEdtrznS5wvMNuE&e=
> >
> > In addition to the authors' responses to the questions, we hope to hear
> from Emile Stephan, as an approval is needed from each author listed in the
> first-page header of the RFC.
> >
> > Thank you.
> > RFC Editor/ar
> >
> >> On Feb 7, 2024, at 7:21 AM, Mishra, Sanjay <sanjay.mishra=
> 40verizon.com@dmarc.ietf.org> wrote:
> >>
> >> Hi Alice - My co-author Frederic Fieau responded approving this drafts,
> however, it is a different email thread addressed to cdni@ietf.org so I
> as confirmation, I'm responding to this thread, I as a co-author along with
> Emile Stephan and Frederic Fieau have reviewed all changes and approve
> publication of this document as RFC 9538.
> >>
> >> We are thankful to co-chair Kevin Ma for his guidance and the AD,
> Francesca Palombini and everyone that contributed and commented to this
> draft and of course a big thanks to the editorial team.
> >>
> >> Regards
> >> Sanjay Mishra
> >>
> >> snippet of email from Fred is below:
> >> frederic.fieau@orange.com
> >> 9:41 AM (37 minutes ago)
> >> to cdni@ietf.org, me, STEPHAN
> >>
> >> Dear all,
> >>
> >> I have reviewed all changes in draft-ietf-cdni-delegation-acme and
> concur with them. On behalf of the authors, I approve the document for
> publication as RFC9538.
> >>
> >> I would like to thank the CDNI WG and all individuals who participated
> for their valuable contributions throughout the process which has now
> reached its conclusion for this draft.
> >>
> >> Regards,
> >> Frederic
> >>
> >> On Tue, Feb 6, 2024 at 6:12 PM Alice Russo <arusso@amsl.com> wrote:
> >> Authors,
> >>
> >> This is a reminder that we await word from you regarding the questions
> below and this document's readiness for publication as an RFC. The files
> are here:
> >>
> >>
> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.rfc-2Deditor.org_authors_rfc9538.html&d=DwIFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=XniVbishGiO2Ao9hKqSc-hTVIWCi3T-x6GdHR4ZTgoM&m=_uLNEDcaPBsFXYMA8j5oRepqfLBtLE6RKluO5xkPC-kqNuhB9LwWEVarzV9IR2tN&s=5TzFzGWGUvYktrbM8hNWTP8hhGH7e5HbSUIxNf_TLA0&e=
> >>
> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.rfc-2Deditor.org_authors_rfc9538.pdf&d=DwIFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=XniVbishGiO2Ao9hKqSc-hTVIWCi3T-x6GdHR4ZTgoM&m=_uLNEDcaPBsFXYMA8j5oRepqfLBtLE6RKluO5xkPC-kqNuhB9LwWEVarzV9IR2tN&s=-ES9wp1LnU6Q7BFV8U-fcv_gUpKgEg8ECmuutDUGb9w&e=
> >>
> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.rfc-2Deditor.org_authors_rfc9538.txt&d=DwIFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=XniVbishGiO2Ao9hKqSc-hTVIWCi3T-x6GdHR4ZTgoM&m=_uLNEDcaPBsFXYMA8j5oRepqfLBtLE6RKluO5xkPC-kqNuhB9LwWEVarzV9IR2tN&s=6vBNFP8MiPXcTbSU4PnBrPvuXbyaL7ysXKxiedlaDGc&e=
> >>
> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.rfc-2Deditor.org_authors_rfc9538.xml&d=DwIFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=XniVbishGiO2Ao9hKqSc-hTVIWCi3T-x6GdHR4ZTgoM&m=_uLNEDcaPBsFXYMA8j5oRepqfLBtLE6RKluO5xkPC-kqNuhB9LwWEVarzV9IR2tN&s=QyfJ3JEyXCJaYC3zyThHRZBmzKiYNACxoJ4MArXCUK8&e=
> (source)
> >>
> >> Diff files of all changes from the approved Internet-Draft:
> >>
> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.rfc-2Deditor.org_authors_rfc9538-2Ddiff.html&d=DwIFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=XniVbishGiO2Ao9hKqSc-hTVIWCi3T-x6GdHR4ZTgoM&m=_uLNEDcaPBsFXYMA8j5oRepqfLBtLE6RKluO5xkPC-kqNuhB9LwWEVarzV9IR2tN&s=lHSovOjBUHrLUveLLyMBUoqm_IlAWXB37E8HMdIUZ68&e=
>
> >>
> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.rfc-2Deditor.org_authors_rfc9538-2Drfcdiff.html&d=DwIFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=XniVbishGiO2Ao9hKqSc-hTVIWCi3T-x6GdHR4ZTgoM&m=_uLNEDcaPBsFXYMA8j5oRepqfLBtLE6RKluO5xkPC-kqNuhB9LwWEVarzV9IR2tN&s=MjAFFfiY9fQr9Bv5FYsBigSAzexwRe3sL6KOEbvy7PM&e=
> (side by side)
> >>
> >> This page shows the AUTH48 status of your document:
> >>
> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.rfc-2Deditor.org_auth48_rfc9538&d=DwIFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=XniVbishGiO2Ao9hKqSc-hTVIWCi3T-x6GdHR4ZTgoM&m=_uLNEDcaPBsFXYMA8j5oRepqfLBtLE6RKluO5xkPC-kqNuhB9LwWEVarzV9IR2tN&s=-577wxpatCuL4syt5zliTCPSry6dSb98RzaRlHqLg10&e=
> >>
> >> Thank you.
> >> RFC Editor/ar
> >>
> >> > On Jan 22, 2024, at 10:57 PM, rfc-editor@rfc-editor.org wrote:
> >> >
> >> > Authors,
> >> >
> >> > While reviewing this document during AUTH48, please resolve (as
> necessary) the
> >> > following questions, which are also in the XML file.
> >> >
> >> > 1) <!--[rfced] May this be rephrased as follows for readability?
> >> >
> >> > Original:
> >> >   RFC9115 allows delegating entities to remain in
> >> >   full control of the delegation and be able to revoke it any time and
> >> >   this avoids the need to share private cryptographic key material
> >> >   between the involved entities.
> >> >
> >> > Perhaps:
> >> >   Per RFC 9115, delegating entities can remain in
> >> >   full control of the delegation and can revoke it at any time.
> >> >   This avoids the need to share private cryptographic key material
> >> >   between the involved entities.
> >> > -->
> >> >
> >> >
> >> > 2) <!--[rfced] FYI, in Section 1.1, we added mention of "STAR" so
> that it
> >> > is expanded upon first use. Please let us know if you prefer
> otherwise.
> >> > (In the original, the first use was in Section 3 - "ACME STAR
> delegation"
> >> > was followed by explanation but was without a direct expansion.)
> >> >
> >> > Original:
> >> >   It also uses
> >> >   terminology from Section 1.2 of [RFC8739] and Section 1.1 of
> >> >   [RFC9115].
> >> >
> >> > Current:
> >> >   It also uses
> >> >   terminology from Section 1.2 of [RFC8739] and Section 1.1 of
> >> >   [RFC9115], including Short-Term, Automatically Renewed (STAR),
> >> >   as applied to X.509 certificates.
> >> > -->
> >> >
> >> >
> >> > 3) <!--[rfced] How may this sentence be rephrased for clarity? In
> particular,
> >> > "allows to specify" is not clear. Also, Section 2.3.1.3 of RFC 9115
> >> > indicates that the CNAME mapping is optional; should this sentence be
> >> > updated to reflect that?
> >> >
> >> > Original:
> >> >      |   Note: The delegation object defined in Section 2.3.1.3 of
> >> >      |  [RFC9115] only allows to specify DNS mappings using CNAME RRs.
> >> >
> >> > Perhaps:
> >> >      |   Note: The delegation object defined in Section 2.3.1.3 of
> >> >      |  [RFC9115] only allows DNS mappings to be specified using
> CNAME RRs.
> >> >
> >> > Or:
> >> >      |   Note: The delegation object defined in Section 2.3.1.3 of
> >> >      |  [RFC9115] allows DNS mappings to be specified using only
> CNAME RRs.
> >> > -->
> >> >
> >> >
> >> > 4) <!--[rfced] FYI, for readability and precision, we have made the
> following
> >> > updates: split this into two sentences, changed "criticality around"
> >> > to "criticality of", and changed "which" to "this account".
> >> > Please review and let us know if you prefer otherwise.
> >> >
> >> > Original:
> >> >   The reader is expected to understand the ACME delegation trust model
> >> >   (Section 7.1 of [RFC9115]) and security goal (Section 7.2 of
> >> >   [RFC9115]), in particular the criticality around the protection of
> >> >   the user account associated with the delegation, which authorizes
> all
> >> >   the security relevant operations between dCDN and uCDN over the ACME
> >> >   channel.
> >> >
> >> > Current:
> >> >   The reader is expected to understand the ACME delegation trust model
> >> >   (Section 7.1 of [RFC9115]) and security goal (Section 7.2 of
> >> >   [RFC9115]).  In particular, the reader is expected to understand the
> >> >   criticality of the protection of the user account associated with
> the
> >> >   delegation; this account authorizes all the security-relevant
> >> >   operations between a dCDN and a uCDN over the ACME channel.
> >> > -->
> >> >
> >> >
> >> > Thank you.
> >> >
> >> > RFC Editor/ar
> >> >
>
>

v2.23.0 | Report a Bug | By Email