Re: [auth48] AUTH48: RFC-to-be 9525 <draft-ietf-uta-rfc6125bis-15> for your review
Orie Steele <orie@transmute.industries> Tue, 31 October 2023 14:05 UTC
Return-Path: <orie@transmute.industries>
X-Original-To: auth48archive@ietfa.amsl.com
Delivered-To: auth48archive@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 63D70C138FA3 for <auth48archive@ietfa.amsl.com>; Tue, 31 Oct 2023 07:05:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.085
X-Spam-Level:
X-Spam-Status: No, score=-6.085 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, DOTGOV_IMAGE=1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_REMOTE_IMAGE=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=transmute.industries
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YZu9WklgU3pv for <auth48archive@ietfa.amsl.com>; Tue, 31 Oct 2023 07:05:00 -0700 (PDT)
Received: from mail-pg1-x530.google.com (mail-pg1-x530.google.com [IPv6:2607:f8b0:4864:20::530]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3BE82C15C2B9 for <auth48archive@rfc-editor.org>; Tue, 31 Oct 2023 07:05:00 -0700 (PDT)
Received: by mail-pg1-x530.google.com with SMTP id 41be03b00d2f7-5b92b670f2aso4298962a12.2 for <auth48archive@rfc-editor.org>; Tue, 31 Oct 2023 07:05:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=transmute.industries; s=google; t=1698761099; x=1699365899; darn=rfc-editor.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=EMg4O+m3J4j7xg7fgCqF62+A54iaSp2pXQyd+ukBvdM=; b=hR64TaC70bKYeaOro55VCinx5x2BbTe9KdDSNznIambNH9x/rDmES5tsGk9uZYHk9R RehX3O+HPZFQngVSEmswe7hWzjJoRWRLyUc337fRAMz2bwpTjqmE6pm3muSNTpY4wPXC NQqOZe4BK2/RTrpEU46+PmnEwTeq2VWDFEVCyfi+vgdgqg0APVZSNle+gxZdFEyYTzi8 MxDtMYjofTNoHmKQ+wkFlz/qDaLoG29Nv3fuPsZtzjB/m8wQBCQZbPMnORnNJfF+ugJH 0PpZyLqADq2vixdMeZ9dfvw5HMFH40P/ENoxiouPeJYCiyEsC1jbByIcGfuhaWt7qRda AbCA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1698761099; x=1699365899; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=EMg4O+m3J4j7xg7fgCqF62+A54iaSp2pXQyd+ukBvdM=; b=hkwvYVsUtmWr7BCQE0lSL77glO9xImRj17vNnuubj+FkUzR8yZuOHJ/fuPF94cxIlO AaL6oBe5b33HJza+hmZCNQDwbD9ypbZZmtsSzcpsBMEo8suw+FeEWnpRuKoGFHlduIIq /KQQE08mDZLuoDB4JYgGD/1iB9OA40FRUG4hI6ZdDn/ITmmJ0O5Byc/F/LKM3+6GPHUo NU6cme1YwCY7fTpy/1Q9yP3I+quAH61FhWsLD02AcVPhK5rgYMEC3xRqyAOfb94GTnr7 /ATXm+xEGtjKe6+tswnN4QRMc2FSCcoDgepSBdUnQA6/lkIDcVp9EKrAGlnXGbTCAJWu 7jxQ==
X-Gm-Message-State: AOJu0Yx2YMTJ4spjtaG/UJU0RvhVoFGvHrHHcDqwKuI/esSvuJqIWfFO jF+138SNLb975MoLrKCRXMALnu788omFv49Sm1Tp/w==
X-Google-Smtp-Source: AGHT+IGwiL9vbpEnHr27QdRMhoMlafK109u2QsAu171g35O/13i9k2uAqRkYgjf/hqUahNDzfFKD2LT+mXBfKPzXsvg=
X-Received: by 2002:a17:90a:6505:b0:280:2935:af27 with SMTP id i5-20020a17090a650500b002802935af27mr7607325pjj.7.1698761099548; Tue, 31 Oct 2023 07:04:59 -0700 (PDT)
MIME-Version: 1.0
References: <20231030161554.3447BE5337@rfcpa.amsl.com> <dad38a2d-a875-4193-ba12-8c847b0a4bda@stpeter.im>
In-Reply-To: <dad38a2d-a875-4193-ba12-8c847b0a4bda@stpeter.im>
From: Orie Steele <orie@transmute.industries>
Date: Tue, 31 Oct 2023 09:04:48 -0500
Message-ID: <CAN8C-_+NeH8y29RCXOoPtuPH_j=maNWmhRAaRFqo4t3=9nPKtQ@mail.gmail.com>
To: Peter Saint-Andre <stpeter@stpeter.im>
Cc: rfc-editor@rfc-editor.org, rsalz@akamai.com, uta-ads@ietf.org, uta-chairs@ietf.org, paul.wouters@aiven.io, auth48archive@rfc-editor.org
Content-Type: multipart/alternative; boundary="000000000000e5b1c3060903a391"
Archived-At: <https://mailarchive.ietf.org/arch/msg/auth48archive/UzA75Tx9r_7MJ7WVMcnDxP-feZ4>
Subject: Re: [auth48] AUTH48: RFC-to-be 9525 <draft-ietf-uta-rfc6125bis-15> for your review
X-BeenThere: auth48archive@rfc-editor.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Archiving AUTH48 exchanges between the RFC Production Center, the authors, and other related parties" <auth48archive.rfc-editor.org>
List-Unsubscribe: <https://mailman.rfc-editor.org/mailman/options/auth48archive>, <mailto:auth48archive-request@rfc-editor.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/auth48archive/>
List-Post: <mailto:auth48archive@rfc-editor.org>
List-Help: <mailto:auth48archive-request@rfc-editor.org?subject=help>
List-Subscribe: <https://mailman.rfc-editor.org/mailman/listinfo/auth48archive>, <mailto:auth48archive-request@rfc-editor.org?subject=subscribe>
X-List-Received-Date: Tue, 31 Oct 2023 14:05:05 -0000
Inline: On Mon, Oct 30, 2023 at 6:55 PM Peter Saint-Andre <stpeter@stpeter.im> wrote: > Thanks for working on this document. Comments inline, areas of agreement > elided. > > On 10/30/23 10:15 AM, rfc-editor@rfc-editor.org wrote: > > > 5) <!--[rfced] In the following, should "component" be plural since it's > > referring to "parameters"? > > > > Original: > > Other aspects of a service such as a specific resource (the URI > > "path" component) or parameters (the URI "query" component) are > > the responsibility of specific protocols or URI schemes. > > > > Perhaps: > > Other aspects of a service such as a specific resource (the URI > > "path" component) or parameters (the URI "query" components) are > > the responsibility of specific protocols or URI schemes. > > --> > > Here 'component' should be singular - there's only one query component > in a URI, but it can include multiple parameters. > > I agree. > > 6) <!-- [rfced] In the html and pdf outputs, the text enclosed in <tt> > is output in > > fixed-width font. In the txt output, there are no changes to the font, > > and the quotation marks have been removed. > > > > In the html and pdf outputs, the text enclosed in <em> is output in > > italics. In the txt output, the text enclosed in <em> appears with an > > underscore before and after. > > > > Please review carefully and let us know if the output is acceptable or > if any > > updates are needed. > > --> > > That looks fine to me. > > I agree. > > 7) <!--[rfced] RFC 2818 [HTTP-OVER-TLS] has been obsoleted by RFC 9110 > > [HTTP]. Please let us know if we can replace "[HTTP-OVER-TLS]" > > with "[HTTP]" in the following and also remove the > > "[HTTP-OVER-TLS]" entry from the References section since it is > > not cited elsewhere. > > I think this should be done, but would like to hear from Rich. > That's acceptable to me. Rich, do you have concerns? > > > In addition, please clarify "when the client uses [SVCB-FOR-HTTPS] or > > [SVCB-FOR-DNS]" - what is the client using or applying the PKIX > > validation rules to in these documents? Or is the intent to state > > that the PKIX validation rules are the same as described in these > > documents? Please clarify. > > > > Original: > > For example, the PKIX validation rules for [HTTP-OVER-TLS] and > > [DNS-OVER-TLS] do not change when the client uses [SVCB-FOR-HTTPS] > > or [SVCB-FOR-DNS]. > > > > Perhaps: > > For example, the PKIX validation rules described in [HTTP] and > > [DNS-OVER-TLS] are the same as described in [SVCB-FOR-HTTPS] and > > [SVCB-FOR-DNS]. > > --> > > I believe the meaning is explained in the previous sentence; this > sentence is merely an example that points to several of the documents in > progress regarding SVCB. > > I agree, but to answer the question directly I believe the intention is to communicate that the PKIX validation rules are the same, as of now, and warn that they might not be in the future. > > 8) <!--[rfced] We notice inconsistent use of quote marks and angle > > brackets for example URIs/URLs. Are any updates needed for > > consistency? > > > > Some examples: > > <sip:voice.college.example> > > <sip:alice@college.example> > > "www.bigcompany.example" > > www.bigcompany.example > > https://www.bigcompany.example/ > > --> > > I'd put them all in angle brackets. > > I agree > 9) <!--[rfced] May we rephrase this sentence as follows in order to > > expand the first mention of "XMPP"? Also, what is discoverable > > via DNS SRV lookups - is it the server (option A) or the IM > > addresses (option B)? > > > > Original: > > Consider an XMPP-compatible instant messaging (IM) server at the host > > messenger.example servicing IM addresses of the form > > user@messenger.example and discoverable via DNS SRV lookups on the > > messenger.example domain. > > > > Perhaps: > > A) Consider an instant messaging (IM) server that is compatible with > > the Extensible Messaging and Presence Protocol (XMPP) at the host > > messenger.example that services IM addresses of the form > > user@messenger.example and is discoverable via DNS SRV lookups > > on the messenger.example domain. > > I like (A) but I would say "and that is discoverable"; this document is > about the verification of services discovered via DNS (mostly), so in > this case and all cases it is the services we care about, not the > addresses serviced there. > > > or > > > > B) Consider an instant messaging (IM) server that is compatible with > > the Extensible Messaging and Presence Protocol (XMPP) at the host > > messenger.example that services IM addresses of the form > > user@messenger.example, which are discoverable via DNS SRV lookups > > on the messenger.example domain. > > --> > > > > > > 10) <!--[rfced] To avoid personification, can the protocol "specify" or > > "require" instead of "insist" in the following context? > > > > Original: > > Similarly, it could insist that a domain name or IP address > > taken as input to the reference identifier must be obtained > > in a secure context such as... > > > > Perhaps: > > Similarly, it could specify that a domain name or an IP address > > taken as input to the reference identifier must be obtained > > in a secure context such as... > > --> > > Protocols are people too! ;-) > > I think "specify" is good here (and consistent with the previous sentence). > > > 11) <!--[rfced] Since nouns with "(s)" are read as singular, please let > us > > know if you prefer the text to reflect option A or B below. > > > > Original: > > Using the combination of FQDN(s) or IP address(es), plus optionally > > an application service type, the client MUST construct its list of > > reference identifiers in accordance with the following rules: > > > > Perhaps: > > A) Using the combination of an FQDN(s) or an IP address(es), plus > > optionally an application service type, the client MUST construct > > its list of reference identifiers in accordance with the following > > rules: > > or > > > > B) Using the combination of one or more FQDNs or IP addresses, plus > > optionally an application service type, the client MUST construct > > its list of reference identifiers in accordance with the following > > rules: > > --> > > I think (B) reads more smoothly. > > > 12) <!--[rfced] To be "equal" means to be of the same amount or number, > so > > could "exactly equal" be updated as "equal" to reduce redundancy? > > Note that there are two instances. Please clarify. > > > > Original: > > An IP-ID reference identifier MUST be exactly equal to the value > > of a iPAddress entry in subjectAltName, with no partial (e.g., > > network-level) matching. There is no application service type. > > > > A wildcard in a presented identifier can only match exactly one label > > in a reference identifier. > > > > Perhaps: > > An IP-ID reference identifier MUST be equal to the value of > > an iPAddress entry in subjectAltName, with no partial (e.g., > > network-level) matching. There is no application service > > type. > > > > A wildcard in a presented identifier can only match one label > > in a reference identifier. > > --> > > I might say "MUST exactly match". > > > 13) <!--[rfced] Does an IP-ID perform matches, or is an IP-ID considered > > a match based on certain criteria? Please let us know if/how we > > can clarify this sentence. > > > > Original: > > An IP-ID matches based on an octet-for-octet comparison of the bytes > > of the reference identity with the bytes contained in the iPAddress > > subjectAltName. > > > > Perhaps: > > An IP-ID is considered a match based on an octet-for-octet > comparison of > > the bytes of the reference identity with the bytes contained in the > > iPAddress subjectAltName. > > --> > > I might say "Matching of an IP-ID is based on..." > > > 14) <!--[rfced] Should this reference be to "Section 6.3" instead of > > "Section 6" since "A-labels" are not specifically mentioned in > > Section 6? > > > > Original: > > More specifically, matching of internationalized domain > > names is performed on A-labels only Section 6. > > > > Perhaps: > > Specifically, the matching of internationalized domain > > names is performed on A-labels only (Section 6.3). > > --> > > WFM. > > > 15) <!--[rfced] Section 4.4.2.2 of RFC 8446 does not mention "SNI"; is > > another section intended? Note that in Section 4.2.11, "SNI" is > > discussed and expanded as "Server Name Identification (SNI)", but > > in Section 9.2, "Server Name Indication" is included in the list > > of TLS extensions. Given this, please let us know if any updates > > are needed to the section reference and expansion of "SNI" in > > the text below. > > > > Original: > > TLS Extensions such as TLS Server Name Indication (SNI), discussed > > in [TLS], Section 4.4.2.2, and Application Layer Protocol Negotiation > > (ALPN), discussed in [ALPN], provide a way for the application to > > indicate the desired identifier and protocol to the server, which > > it can then use to select the most appropriate certificate. > > --> > > I'm not sure how we ended up including such an incorrect citation. The > best reference is Section 3 of RFC 6066. That's what we cited as > [TLS-EXT] in RFC 6125. > As Document Shepheard, I missed this, Section 3 of RFC 6066 seems like the correct reference to me. > > 16) <!--[rfced] References > > > > a) FYI: There was a duplicate reference entry for RFC 3986 with > > one citation name displayed as "[RFC3986]" and the other as > > "[URI]". We kept the "URI" naming scheme. If you prefer to use > > the RFC number instead, please let us know. > > [URI] is good. > > > b) There is a more recent version of [US-ASCII]. Please > > confirm if the reference entry should be updated to reflect "ANSI > > INCITS 4-1986 (R2007)" (see http://sliderule.mraiow.com/ > > w/images/7/73/ASCII.pdf) instead of "ANSI X3.4-1986". > > > > Original: > > [US-ASCII] American National Standards Institute, > > "Coded Character Set - 7-bit American > > Standard Code for Information > > Interchange", ANSI X3.4, 1986. > > > > Perhaps: > > [US-ASCII] American National Standards Institute, > > "Coded Character Sets - 7-bit American > > Standard Code for Information > > Interchange (7-Bit ASCII)", ANSI INCITS > > 4-1986 (R2007), June 2007. > > Is it IETF or RPC preference to cite RFC 20? If not, the more recent > reference seems good. > > > c) The 2005 version of reference X.509 has been superseded > > (see https://www.itu.int/rec/T-REC-X.509). Would you like to > > point to the most current version (2019) as follows or keep the > > entry the same? > > > > Current: > > [X.509] ITU-T, "Information Technology - Open Systems > > Interconnection - The Directory: Public-key and > > attribute certificate frameworks", ISO/IEC 9594-8, > > ITU-T Recommendation X.509, August 2005. > > > > Perhaps: > > [X.509] ITU-T, "Information Technology - Open Systems > > Interconnection - The Directory: Public-key and > > attribute certificate frameworks", ISO/IEC 9594-8, > > ITU-T Recommendation X.509, October 2019. > > The more recent reference is likely preferable. > > > d) The 2008 version of reference X.690 has been superseded > > (see https://www.itu.int/rec/T-REC-X.690). Would you like to > > point to the most current version (2021) as follows or keep the > > entry the same? > > > > Current: > > [X.690] ITU-T, "Information Technology - ASN.1 encoding rules: > > Specification of Basic Encoding Rules (BER), Canonical > > Encoding Rules (CER) and Distinguished Encoding Rules > > (DER)", ISO/IEC 8825-1, ITU-T Recommendation X.690, > > November 2008. > > > > Perhaps: > > [X.690] ITU-T, "Information Technology - ASN.1 encoding rules: > > Specification of Basic Encoding Rules (BER), Canonical > > Encoding Rules (CER) and Distinguished Encoding Rules > > (DER)", ISO/IEC 8825-1:2021 (E), ITU-T Recommendation > > X.690, February 2021. > > --> > > Ditto. > > > 17) <!--[rfced] In the Acknowledgements, we updated "Ines Robles" to > > "Maria Ines Robles". If that is not correct, please let us know. > > Thanks. > > > Also, would you like to add the name of the mailing list here? > > > > Original: > > In addition to discussion on the mailing list, the following people > > provided official reviews or especially significant feedback: > > --> > > I might say "discussion within the UTA WG". > > > 18) <!-- [rfced] Acronym Expansions > > > > a) Throughout the text, the following expansion appears to be used > > inconsistently. Please review these occurrences and let us know > > if/how they may be made consistent. > > > > certificate authority (CA) (this doc) vs. > > certification authority (CA) (per RFCs 5280, 6125, and 9345) > > > > Note: In addition, we see the following: > > - "certification authority" in Section 1.4.2 > > - "certificate authority" in Section 4.1 > > Since we used "certification authority" in RFC 6125, I'd prefer to > consistently use it here again. > > > b) FYI: We updated the text to reflect the latter form for > > consistency per RFCs 5280 and 6125: > > > > Public Key Infrastructure Using X.509 (PKIX) -> > > Public Key Infrastructure using X.509 (PKIX) > > --> > > Thanks. > > > 19) <!-- [rfced] Please review the "Inclusive Language" portion of the > online > > Style Guide < > https://www.rfc-editor.org/styleguide/part2/#inclusive_language> > > and let us know if any changes are needed. > > > > For example, please consider whether "tradition" should be updated for > > clarity. While the NIST website > > <https://www.nist.gov/nist-research-library/nist-technical-series- > > publications-author-instructions#table1> indicates that this term is > > potentially biased, it is also ambiguous. "Tradition" is a subjective > > term, as it is not the same for everyone. > > --> > > Well, fully qualified domain names conforming to "preferred name syntax" > as described in Section 3.5 of RFC 1034 were, in fact, the same for > everyone! So I don't consider the use of "traditional" here to be biased > or ambiguous - that's just how the Internet was defined in IETF RFCs. > > Thanks again for your careful attention to this document. > > Peter > > -- ORIE STEELE Chief Technology Officer www.transmute.industries <https://transmute.industries>
- [auth48] AUTH48: RFC-to-be 9525 <draft-ietf-uta-r… rfc-editor
- Re: [auth48] AUTH48: RFC-to-be 9525 <draft-ietf-u… rfc-editor
- Re: [auth48] AUTH48: RFC-to-be 9525 <draft-ietf-u… Peter Saint-Andre
- Re: [auth48] AUTH48: RFC-to-be 9525 <draft-ietf-u… Orie Steele
- Re: [auth48] AUTH48: RFC-to-be 9525 <draft-ietf-u… Salz, Rich
- Re: [auth48] AUTH48: RFC-to-be 9525 <draft-ietf-u… Peter Saint-Andre
- Re: [auth48] AUTH48: RFC-to-be 9525 <draft-ietf-u… Alanna Paloma
- Re: [auth48] AUTH48: RFC-to-be 9525 <draft-ietf-u… Peter Saint-Andre
- Re: [auth48] AUTH48: RFC-to-be 9525 <draft-ietf-u… Peter Saint-Andre
- Re: [auth48] AUTH48: RFC-to-be 9525 <draft-ietf-u… Paul Wouters
- Re: [auth48] AUTH48: RFC-to-be 9525 <draft-ietf-u… Peter Saint-Andre
- Re: [auth48] AUTH48: RFC-to-be 9525 <draft-ietf-u… Salz, Rich
- Re: [auth48] AUTH48: RFC-to-be 9525 <draft-ietf-u… Paul Wouters
- Re: [auth48] AUTH48: RFC-to-be 9525 <draft-ietf-u… Karen Moore
- Re: [auth48] AUTH48: RFC-to-be 9525 <draft-ietf-u… Peter Saint-Andre
- Re: [auth48] AUTH48: RFC-to-be 9525 <draft-ietf-u… Karen Moore
- Re: [auth48] AUTH48: RFC-to-be 9525 <draft-ietf-u… Salz, Rich
- Re: [auth48] AUTH48: RFC-to-be 9525 <draft-ietf-u… Karen Moore