Re: [auth48] AUTH48: RFC-to-be 9447 <draft-ietf-acme-authority-token-09> for your review

[Alanna Paloma <apaloma@amsl.com>]

Greetings,

We do not believe we have heard from you regarding this document's readiness for publication.  Please review our previous messages describing the AUTH48 process and containing any document-specific questions we may have had.

We will wait to hear from you before continuing with the publication process.

The AUTH48 status page for this document is located here:
https://www.rfc-editor.org/auth48/rfc9447

Thank you,
RFC Editor/ap

> On Jul 24, 2023, at 10:56 PM, rfc-editor@rfc-editor.org wrote:
> 
> Authors,
> 
> While reviewing this document during AUTH48, please resolve (as necessary) the following questions, which are also in the XML file.
> 
> 1) <!--[rfced] Please note the the title of the document has been updated as follows.
> The abbreviation has been expanded per Section 3.6 of RFC 7322 ("RFC Style Guide").
> Please review.
> 
> Original:
> ACME Challenges Using an Authority Token
> 
> Current:
> Automated Certificate Management Environment (ACME) Challenges Using an Authority Token
> -->
> 
> 
> 2) <!--[rfced] For clarity, should "Authority" be "Token Authority" here?
> 
> Original:
>   For example, imagine a case where an Authority for DNS names knows
>   that a client is eligible to receive certificates for "example.com"
>   and "example.net".
> 
> Perhaps:
>   For example, imagine a case where a Token Authority for DNS names knows
>   that a client is eligible to receive certificates for "example.com"
>   and "example.net".
> 
> 
> Similarly (for the reverse), should "Token" be "Authority Token" here?
> Or, perhaps using just one word was intended to mitigate confusion?
> 	
> Original:
>   ...an ACME server can use the
>   binding to determine that a Token presented by a client was in fact
>   granted by the Token Authority based on a request from the client,
>   and not from some other entity.
> 
> Perhaps:
>   ...an ACME server can use the
>   binding to determine that an Authority Token presented by a client was in fact
>   granted by the Token Authority based on a request from the client,
>   and not from some other entity.
> -->   
> 
> 
> 3) <!--[rfced] As "OPTIONALLY" is not a key word that appears in RFC 2119, 
> may this sentence be rephrased to use "OPTIONAL"?
> 
> Original:
>   For this ACME Authority Token usage of JWT, the payload of the JWT
>   OPTIONALLY contain an "iss" indicating the Token Authority that
>   generated the token, if the "x5u" or "x5c" element in the header does
>   not already convey that information...
> 
> Perhaps:
>   For this ACME Authority Token usage of JWT, it is OPTIONAL for the
>   payload of the JWT to contain an "iss" indicating the Token Authority that
>   generated the token if the "x5u" or "x5c" element in the header does
>   not already convey that information...
> -->   
> 
> 
> 4) <!--[rfced] We note that RFC 8226 does not contain mention of "tkvalue".
> Please review and let us know if/how this citation should be updated.
> 
> Original:
>   Following the example of [I-D.ietf-acme-authority-token-tnauthlist],
>   the "tktype" identifier type could be the TNAuthList, with a
>   "tkvalue" as defined in [RFC8226] that the Token Authority is
>   attesting.
> -->   
> 
> 
> 5) <!--[rfced] In Section 4, the following lines in sourcecode exceeded 
> the 69-character limit. Line breaks have been added as follows; please
> review and let us know if these lines should appear in a different manner.
> 
> Original (lines 407 and 408):
>     "atc":{"tktype":"TnAuthList","tkvalue":"F83n2a...avn27DN3==","fingerprint":
>     "SHA256 56:3E:CF:AE:83:CA:4D:15:B0:29:FF:1B:71:D3:BA:B9:19:81:F8:50:
>     9B:DF:4A:D4:39:72:E2:B1:F0:B9:38:E3"}
> 
> Current:
>     "atc":{"tktype":"TnAuthList","tkvalue":"F83n2a...avn27DN3==",
>     "fingerprint":"SHA256 56:3E:CF:AE:83:CA:4D:15:B0:29:FF:1B:71:D3:
>     BA:B9:19:81:F8:50:9B:DF:4A:D4:39:72:E2:B1:F0:B9:38:E3"}
> 
> 
> Original (lines 424 and 425):
>   "atc":{"tktype":"TnAuthList","tkvalue":"F83n2a...avn27DN3==","ca":true,
>   "fingerprint":"SHA256 56:3E:CF:AE:83:CA:4D:15:B0:29:FF:1B:71:D3:BA:B9:19:81:F8:50:        
>   9B:DF:4A:D4:39:72:E2:B1:F0:B9:38:E3"} }
> 
> Current:
>   "atc":{"tktype":"TnAuthList","tkvalue":"F83n2a...avn27DN3==",
>   "ca":true,"fingerprint":"SHA256 56:3E:CF:AE:83:CA:4D:15:B0:29:FF:1B:
>   71:D3:BA:B9:19:81:F8:50:9B:DF:4A:D4:39:72:E2:B1:F0:B9:38:E3"} }
> -->
> 
> 
> 6) <!--[rfced] Please review the "type" attribute of each sourcecode element
> in the XML file to ensure correctness. If the current list of preferred
> values for "type" (https://www.rfc-editor.org/materials/sourcecode-types.txt) 
> does not contain an applicable type, then feel free to let us
> know. Also, it is acceptable to leave the "type" attribute not set.
> -->
> 
> 
> 7) <!-- [rfced] RFC 7231 has been obsoleted by RFC 9110.  May we replace 
> RFC 7231 with RFC 9110 in this sentence?
> 
> Original:
>   In order to request an Authority Token from a Token Authority, a
>   client sends a HTTPS POST request [RFC7231] . 
> -->
> 
> 
> 8) <!--[rfced] Per RFCs 2119 and 8174, may we update "SHOULD not" to "SHOULD NOT"
> in the sentence below?
> 
> Original:
>   ACME services relying
>   on Authority Tokens SHOULD not issue certificates with a longer
>   expiry than the expiry of the Authority Token.
> -->   
> 
> 
> 9) <!--[rfced] The following references are not cited in the text.  Please let
> us know where they should be cited or if these references should be deleted 
> from the References section.
> 
>   [RFC3986]  Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
>              Resource Identifier (URI): Generic Syntax", STD 66,
>              RFC 3986, DOI 10.17487/RFC3986, January 2005,
>              <https://www.rfc-editor.org/info/rfc3986>.
> 
>   [RFC4648]  Josefsson, S., "The Base16, Base32, and Base64 Data
>              Encodings", RFC 4648, DOI 10.17487/RFC4648, October 2006,
>              <https://www.rfc-editor.org/info/rfc4648>.
> -->
> 
> 
> 10) <!--[rfced] Throughout the text, "ACME Identifier Type", "ACME Identifier type",
> and "ACME identifier type" appear were used inconsistently. We have updated
> all occurrences to capitalized, i.e., "ACME Identifier Type". 
> Please review and let us know if you prefer otherwise.
> -->
> 
> 
> 11) <!-- [rfced] FYI - We have added expansions for the following abbreviations
> per Section 3.6 of RFC 7322 ("RFC Style Guide"). Please review each expansion
> in the document carefully to ensure correctness.
> 
> JSON Web Signature (JWS)
> Telephone Number Authorization List (TNAuthList)
> -->
> 
> 
> 12) <!-- [rfced] Please review the "Inclusive Language" portion of the online 
> Style Guide <https://www.rfc-editor.org/styleguide/part2/#inclusive_language> 
> and let us know if any changes are needed. 
> 
> Note that our script did not flag any words in particular, but this should still 
> be reviewed as a best practice.
> -->
> 
> 
> Thank you.
> 
> RFC Editor/ar/ar
> 
> 
> On Jul 24, 2023, rfc-editor@rfc-editor.org wrote:
> 
> *****IMPORTANT*****
> 
> Updated 2023/07/24
> 
> RFC Author(s):
> --------------
> 
> Instructions for Completing AUTH48
> 
> Your document has now entered AUTH48.  Once it has been reviewed and 
> approved by you and all coauthors, it will be published as an RFC.  
> If an author is no longer available, there are several remedies 
> available as listed in the FAQ (https://www.rfc-editor.org/faq/).
> 
> You and you coauthors are responsible for engaging other parties 
> (e.g., Contributors or Working Group) as necessary before providing 
> your approval.
> 
> Planning your review 
> ---------------------
> 
> Please review the following aspects of your document:
> 
> *  RFC Editor questions
> 
>  Please review and resolve any questions raised by the RFC Editor 
>  that have been included in the XML file as comments marked as 
>  follows:
> 
>  <!-- [rfced] ... -->
> 
>  These questions will also be sent in a subsequent email.
> 
> *  Changes submitted by coauthors 
> 
>  Please ensure that you review any changes submitted by your 
>  coauthors.  We assume that if you do not speak up that you 
>  agree to changes submitted by your coauthors.
> 
> *  Content 
> 
>  Please review the full content of the document, as this cannot 
>  change once the RFC is published.  Please pay particular attention to:
>  - IANA considerations updates (if applicable)
>  - contact information
>  - references
> 
> *  Copyright notices and legends
> 
>  Please review the copyright notice and legends as defined in
>  RFC 5378 and the Trust Legal Provisions 
>  (TLP – https://trustee.ietf.org/license-info/).
> 
> *  Semantic markup
> 
>  Please review the markup in the XML file to ensure that elements of  
>  content are correctly tagged.  For example, ensure that <sourcecode> 
>  and <artwork> are set correctly.  See details at 
>  <https://authors.ietf.org/rfcxml-vocabulary>.
> 
> *  Formatted output
> 
>  Please review the PDF, HTML, and TXT files to ensure that the 
>  formatted output, as generated from the markup in the XML file, is 
>  reasonable.  Please note that the TXT will have formatting 
>  limitations compared to the PDF and HTML.
> 
> 
> Submitting changes
> ------------------
> 
> To submit changes, please reply to this email using ‘REPLY ALL’ as all 
> the parties CCed on this message need to see your changes. The parties 
> include:
> 
>  *  your coauthors
> 
>  *  rfc-editor@rfc-editor.org (the RPC team)
> 
>  *  other document participants, depending on the stream (e.g., 
>     IETF Stream participants are your working group chairs, the 
>     responsible ADs, and the document shepherd).
> 
>  *  auth48archive@rfc-editor.org, which is a new archival mailing list 
>     to preserve AUTH48 conversations; it is not an active discussion 
>     list:
> 
>    *  More info:
>       https://mailarchive.ietf.org/arch/msg/ietf-announce/yb6lpIGh-4Q9l2USxIAe6P8O4Zc
> 
>    *  The archive itself:
>       https://mailarchive.ietf.org/arch/browse/auth48archive/
> 
>    *  Note: If only absolutely necessary, you may temporarily opt out 
>       of the archiving of messages (e.g., to discuss a sensitive matter).
>       If needed, please add a note at the top of the message that you 
>       have dropped the address. When the discussion is concluded, 
>       auth48archive@rfc-editor.org will be re-added to the CC list and 
>       its addition will be noted at the top of the message. 
> 
> You may submit your changes in one of two ways:
> 
> An update to the provided XML file
> — OR —
> An explicit list of changes in this format
> 
> Section # (or indicate Global)
> 
> OLD:
> old text
> 
> NEW:
> new text
> 
> You do not need to reply with both an updated XML file and an explicit 
> list of changes, as either form is sufficient.
> 
> We will ask a stream manager to review and approve any changes that seem
> beyond editorial in nature, e.g., addition of new text, deletion of text, 
> and technical changes.  Information about stream managers can be found in 
> the FAQ.  Editorial changes do not require approval from a stream manager.
> 
> 
> Approving for publication
> --------------------------
> 
> To approve your RFC for publication, please reply to this email stating
> that you approve this RFC for publication.  Please use ‘REPLY ALL’,
> as all the parties CCed on this message need to see your approval.
> 
> 
> Files 
> -----
> 
> The files are available here:
>  https://www.rfc-editor.org/authors/rfc9447.xml
>  https://www.rfc-editor.org/authors/rfc9447.html
>  https://www.rfc-editor.org/authors/rfc9447.pdf
>  https://www.rfc-editor.org/authors/rfc9447.txt
> 
> Diff file of the text:
>  https://www.rfc-editor.org/authors/rfc9447-diff.html
>  https://www.rfc-editor.org/authors/rfc9447-rfcdiff.html (side by side)
> 
> Diff of the XML: 
>  https://www.rfc-editor.org/authors/rfc9447-xmldiff1.html
> 
> The following files are provided to facilitate creation of your own 
> diff files of the XML.  
> 
> Initial XMLv3 created using XMLv2 as input:
>  https://www.rfc-editor.org/authors/rfc9447.original.v2v3.xml 
> 
> XMLv3 file that is a best effort to capture v3-related format updates 
> only: 
>  https://www.rfc-editor.org/authors/rfc9447.form.xml
> 
> 
> Tracking progress
> -----------------
> 
> The details of the AUTH48 status of your document are here:
>  https://www.rfc-editor.org/auth48/rfc9447
> 
> Please let us know if you have any questions.  
> 
> Thank you for your cooperation,
> 
> RFC Editor
> 
> --------------------------------------
> RFC9447 (draft-ietf-acme-authority-token-09)
> 
> Title            : ACME Challenges Using an Authority Token
> Author(s)        : J. Peterson, M. Barnes, D. Hancock, C. Wendt
> WG Chair(s)      : Deb Cooley, Deb Cooley, Yoav Nir
> Area Director(s) : Roman Danyliw, Paul Wouters
>