Re: [auth48] AUTH48: RFC-to-be 9538 <draft-ietf-cdni-delegation-acme-04> for your review
Alice Russo <arusso@amsl.com> Wed, 07 February 2024 17:17 UTC
Return-Path: <arusso@amsl.com>
X-Original-To: auth48archive@ietfa.amsl.com
Delivered-To: auth48archive@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 411F4C14F683; Wed, 7 Feb 2024 09:17:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.906
X-Spam-Level:
X-Spam-Status: No, score=-1.906 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4ieowAYdoQVy; Wed, 7 Feb 2024 09:17:03 -0800 (PST)
Received: from c8a.amsl.com (c8a.amsl.com [4.31.198.40]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E4505C14CEE3; Wed, 7 Feb 2024 09:17:03 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by c8a.amsl.com (Postfix) with ESMTP id CB049424B432; Wed, 7 Feb 2024 09:17:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
Received: from c8a.amsl.com ([127.0.0.1]) by localhost (c8a.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NsLyyJbp9aeg; Wed, 7 Feb 2024 09:17:03 -0800 (PST)
Received: from smtpclient.apple (c-76-146-133-47.hsd1.wa.comcast.net [76.146.133.47]) by c8a.amsl.com (Postfix) with ESMTPSA id 54B75424B427; Wed, 7 Feb 2024 09:17:03 -0800 (PST)
From: Alice Russo <arusso@amsl.com>
Message-Id: <3DD85FCC-090F-4401-A6CF-640E966C749F@amsl.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_1B3C0964-E43F-4F85-85A4-73778ABE5AE1"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.1\))
Date: Wed, 07 Feb 2024 09:17:02 -0800
In-Reply-To: <CA+EbDtCSsAe6M=jW5NfXwpWkBPO2CLBuVmxFwM2ZB5sF+jXSGg@mail.gmail.com>
Cc: cdni-ads@ietf.org, cdni-chairs@ietf.org, kevin.j.ma.ietf@gmail.com, francesca.palombini@ericsson.com, rfc-editor@rfc-editor.org, auth48archive <auth48archive@rfc-editor.org>
To: frederic.fieau@orange.com, emile.stephan@orange.com, "Mishra, Sanjay" <sanjay.mishra=40verizon.com@dmarc.ietf.org>
References: <20240123065751.D786E199610A@rfcpa.amsl.com> <7566767A-2661-462A-AE1B-2E225ACAA0D7@amsl.com> <CA+EbDtCSsAe6M=jW5NfXwpWkBPO2CLBuVmxFwM2ZB5sF+jXSGg@mail.gmail.com>
X-Mailer: Apple Mail (2.3696.120.41.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/auth48archive/cnNiBvgqBNq4pqWkLi9YMHbMdf8>
Subject: Re: [auth48] AUTH48: RFC-to-be 9538 <draft-ietf-cdni-delegation-acme-04> for your review
X-BeenThere: auth48archive@rfc-editor.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Archiving AUTH48 exchanges between the RFC Production Center, the authors, and other related parties" <auth48archive.rfc-editor.org>
List-Unsubscribe: <https://mailman.rfc-editor.org/mailman/options/auth48archive>, <mailto:auth48archive-request@rfc-editor.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/auth48archive/>
List-Post: <mailto:auth48archive@rfc-editor.org>
List-Help: <mailto:auth48archive-request@rfc-editor.org?subject=help>
List-Subscribe: <https://mailman.rfc-editor.org/mailman/listinfo/auth48archive>, <mailto:auth48archive-request@rfc-editor.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Feb 2024 17:17:08 -0000
Authors, Sanjay, thank you for your reply and for letting us know about Frederic's reply to the CDNI mailing list. Please reply to the 4 questions below regarding changes to the text. The edited document is here: https://www.rfc-editor.org/authors/rfc9538.html https://www.rfc-editor.org/authors/rfc9538.pdf https://www.rfc-editor.org/authors/rfc9538.txt https://www.rfc-editor.org/authors/rfc9538.xml (source) Diff files of all changes from the approved Internet-Draft: https://www.rfc-editor.org/authors/rfc9538-diff.html https://www.rfc-editor.org/authors/rfc9538-rfcdiff.html (side by side) This page shows the AUTH48 status of your document: https://www.rfc-editor.org/auth48/rfc9538 In addition to the authors' responses to the questions, we hope to hear from Emile Stephan, as an approval is needed from each author listed in the first-page header of the RFC. Thank you. RFC Editor/ar > On Feb 7, 2024, at 7:21 AM, Mishra, Sanjay <sanjay.mishra=40verizon.com@dmarc.ietf.org> wrote: > > Hi Alice - My co-author Frederic Fieau responded approving this drafts, however, it is a different email thread addressed to cdni@ietf.org <mailto:cdni@ietf.org> so I as confirmation, I'm responding to this thread, I as a co-author along with Emile Stephan and Frederic Fieau have reviewed all changes and approve publication of this document as RFC 9538. > > We are thankful to co-chair Kevin Ma for his guidance and the AD, Francesca Palombini and everyone that contributed and commented to this draft and of course a big thanks to the editorial team. > > Regards > Sanjay Mishra > > snippet of email from Fred is below: > frederic.fieau@orange.com <mailto:frederic.fieau@orange.com> > 9:41 AM (37 minutes ago) > to cdni@ietf.org <mailto:cdni@ietf.org>, me, STEPHAN > > Dear all, > > I have reviewed all changes in draft-ietf-cdni-delegation-acme and concur with them. On behalf of the authors, I approve the document for publication as RFC9538. > > I would like to thank the CDNI WG and all individuals who participated for their valuable contributions throughout the process which has now reached its conclusion for this draft. > > Regards, > Frederic > > On Tue, Feb 6, 2024 at 6:12 PM Alice Russo <arusso@amsl.com <mailto:arusso@amsl.com>> wrote: > Authors, > > This is a reminder that we await word from you regarding the questions below and this document's readiness for publication as an RFC. The files are here: > > https://urldefense.proofpoint.com/v2/url?u=https-3A__www.rfc-2Deditor.org_authors_rfc9538.html&d=DwIFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=XniVbishGiO2Ao9hKqSc-hTVIWCi3T-x6GdHR4ZTgoM&m=_uLNEDcaPBsFXYMA8j5oRepqfLBtLE6RKluO5xkPC-kqNuhB9LwWEVarzV9IR2tN&s=5TzFzGWGUvYktrbM8hNWTP8hhGH7e5HbSUIxNf_TLA0&e= <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.rfc-2Deditor.org_authors_rfc9538.html&d=DwIFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=XniVbishGiO2Ao9hKqSc-hTVIWCi3T-x6GdHR4ZTgoM&m=_uLNEDcaPBsFXYMA8j5oRepqfLBtLE6RKluO5xkPC-kqNuhB9LwWEVarzV9IR2tN&s=5TzFzGWGUvYktrbM8hNWTP8hhGH7e5HbSUIxNf_TLA0&e=> > https://urldefense.proofpoint.com/v2/url?u=https-3A__www.rfc-2Deditor.org_authors_rfc9538.pdf&d=DwIFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=XniVbishGiO2Ao9hKqSc-hTVIWCi3T-x6GdHR4ZTgoM&m=_uLNEDcaPBsFXYMA8j5oRepqfLBtLE6RKluO5xkPC-kqNuhB9LwWEVarzV9IR2tN&s=-ES9wp1LnU6Q7BFV8U-fcv_gUpKgEg8ECmuutDUGb9w&e= <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.rfc-2Deditor.org_authors_rfc9538.pdf&d=DwIFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=XniVbishGiO2Ao9hKqSc-hTVIWCi3T-x6GdHR4ZTgoM&m=_uLNEDcaPBsFXYMA8j5oRepqfLBtLE6RKluO5xkPC-kqNuhB9LwWEVarzV9IR2tN&s=-ES9wp1LnU6Q7BFV8U-fcv_gUpKgEg8ECmuutDUGb9w&e=> > https://urldefense.proofpoint.com/v2/url?u=https-3A__www.rfc-2Deditor.org_authors_rfc9538.txt&d=DwIFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=XniVbishGiO2Ao9hKqSc-hTVIWCi3T-x6GdHR4ZTgoM&m=_uLNEDcaPBsFXYMA8j5oRepqfLBtLE6RKluO5xkPC-kqNuhB9LwWEVarzV9IR2tN&s=6vBNFP8MiPXcTbSU4PnBrPvuXbyaL7ysXKxiedlaDGc&e= <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.rfc-2Deditor.org_authors_rfc9538.txt&d=DwIFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=XniVbishGiO2Ao9hKqSc-hTVIWCi3T-x6GdHR4ZTgoM&m=_uLNEDcaPBsFXYMA8j5oRepqfLBtLE6RKluO5xkPC-kqNuhB9LwWEVarzV9IR2tN&s=6vBNFP8MiPXcTbSU4PnBrPvuXbyaL7ysXKxiedlaDGc&e=> > https://urldefense.proofpoint.com/v2/url?u=https-3A__www.rfc-2Deditor.org_authors_rfc9538.xml&d=DwIFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=XniVbishGiO2Ao9hKqSc-hTVIWCi3T-x6GdHR4ZTgoM&m=_uLNEDcaPBsFXYMA8j5oRepqfLBtLE6RKluO5xkPC-kqNuhB9LwWEVarzV9IR2tN&s=QyfJ3JEyXCJaYC3zyThHRZBmzKiYNACxoJ4MArXCUK8&e= <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.rfc-2Deditor.org_authors_rfc9538.xml&d=DwIFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=XniVbishGiO2Ao9hKqSc-hTVIWCi3T-x6GdHR4ZTgoM&m=_uLNEDcaPBsFXYMA8j5oRepqfLBtLE6RKluO5xkPC-kqNuhB9LwWEVarzV9IR2tN&s=QyfJ3JEyXCJaYC3zyThHRZBmzKiYNACxoJ4MArXCUK8&e=> (source) > > Diff files of all changes from the approved Internet-Draft: > https://urldefense.proofpoint.com/v2/url?u=https-3A__www.rfc-2Deditor.org_authors_rfc9538-2Ddiff.html&d=DwIFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=XniVbishGiO2Ao9hKqSc-hTVIWCi3T-x6GdHR4ZTgoM&m=_uLNEDcaPBsFXYMA8j5oRepqfLBtLE6RKluO5xkPC-kqNuhB9LwWEVarzV9IR2tN&s=lHSovOjBUHrLUveLLyMBUoqm_IlAWXB37E8HMdIUZ68&e= <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.rfc-2Deditor.org_authors_rfc9538-2Ddiff.html&d=DwIFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=XniVbishGiO2Ao9hKqSc-hTVIWCi3T-x6GdHR4ZTgoM&m=_uLNEDcaPBsFXYMA8j5oRepqfLBtLE6RKluO5xkPC-kqNuhB9LwWEVarzV9IR2tN&s=lHSovOjBUHrLUveLLyMBUoqm_IlAWXB37E8HMdIUZ68&e=> > https://urldefense.proofpoint.com/v2/url?u=https-3A__www.rfc-2Deditor.org_authors_rfc9538-2Drfcdiff.html&d=DwIFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=XniVbishGiO2Ao9hKqSc-hTVIWCi3T-x6GdHR4ZTgoM&m=_uLNEDcaPBsFXYMA8j5oRepqfLBtLE6RKluO5xkPC-kqNuhB9LwWEVarzV9IR2tN&s=MjAFFfiY9fQr9Bv5FYsBigSAzexwRe3sL6KOEbvy7PM&e= <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.rfc-2Deditor.org_authors_rfc9538-2Drfcdiff.html&d=DwIFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=XniVbishGiO2Ao9hKqSc-hTVIWCi3T-x6GdHR4ZTgoM&m=_uLNEDcaPBsFXYMA8j5oRepqfLBtLE6RKluO5xkPC-kqNuhB9LwWEVarzV9IR2tN&s=MjAFFfiY9fQr9Bv5FYsBigSAzexwRe3sL6KOEbvy7PM&e=> (side by side) > > This page shows the AUTH48 status of your document: > https://urldefense.proofpoint.com/v2/url?u=https-3A__www.rfc-2Deditor.org_auth48_rfc9538&d=DwIFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=XniVbishGiO2Ao9hKqSc-hTVIWCi3T-x6GdHR4ZTgoM&m=_uLNEDcaPBsFXYMA8j5oRepqfLBtLE6RKluO5xkPC-kqNuhB9LwWEVarzV9IR2tN&s=-577wxpatCuL4syt5zliTCPSry6dSb98RzaRlHqLg10&e= <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.rfc-2Deditor.org_auth48_rfc9538&d=DwIFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=XniVbishGiO2Ao9hKqSc-hTVIWCi3T-x6GdHR4ZTgoM&m=_uLNEDcaPBsFXYMA8j5oRepqfLBtLE6RKluO5xkPC-kqNuhB9LwWEVarzV9IR2tN&s=-577wxpatCuL4syt5zliTCPSry6dSb98RzaRlHqLg10&e=> > > Thank you. > RFC Editor/ar > > > On Jan 22, 2024, at 10:57 PM, rfc-editor@rfc-editor.org <mailto:rfc-editor@rfc-editor.org> wrote: > > > > Authors, > > > > While reviewing this document during AUTH48, please resolve (as necessary) the > > following questions, which are also in the XML file. > > > > 1) <!--[rfced] May this be rephrased as follows for readability? > > > > Original: > > RFC9115 allows delegating entities to remain in > > full control of the delegation and be able to revoke it any time and > > this avoids the need to share private cryptographic key material > > between the involved entities. > > > > Perhaps: > > Per RFC 9115, delegating entities can remain in > > full control of the delegation and can revoke it at any time. > > This avoids the need to share private cryptographic key material > > between the involved entities. > > --> > > > > > > 2) <!--[rfced] FYI, in Section 1.1, we added mention of "STAR" so that it > > is expanded upon first use. Please let us know if you prefer otherwise. > > (In the original, the first use was in Section 3 - "ACME STAR delegation" > > was followed by explanation but was without a direct expansion.) > > > > Original: > > It also uses > > terminology from Section 1.2 of [RFC8739] and Section 1.1 of > > [RFC9115]. > > > > Current: > > It also uses > > terminology from Section 1.2 of [RFC8739] and Section 1.1 of > > [RFC9115], including Short-Term, Automatically Renewed (STAR), > > as applied to X.509 certificates. > > --> > > > > > > 3) <!--[rfced] How may this sentence be rephrased for clarity? In particular, > > "allows to specify" is not clear. Also, Section 2.3.1.3 of RFC 9115 > > indicates that the CNAME mapping is optional; should this sentence be > > updated to reflect that? > > > > Original: > > | Note: The delegation object defined in Section 2.3.1.3 of > > | [RFC9115] only allows to specify DNS mappings using CNAME RRs. > > > > Perhaps: > > | Note: The delegation object defined in Section 2.3.1.3 of > > | [RFC9115] only allows DNS mappings to be specified using CNAME RRs. > > > > Or: > > | Note: The delegation object defined in Section 2.3.1.3 of > > | [RFC9115] allows DNS mappings to be specified using only CNAME RRs. > > --> > > > > > > 4) <!--[rfced] FYI, for readability and precision, we have made the following > > updates: split this into two sentences, changed "criticality around" > > to "criticality of", and changed "which" to "this account". > > Please review and let us know if you prefer otherwise. > > > > Original: > > The reader is expected to understand the ACME delegation trust model > > (Section 7.1 of [RFC9115]) and security goal (Section 7.2 of > > [RFC9115]), in particular the criticality around the protection of > > the user account associated with the delegation, which authorizes all > > the security relevant operations between dCDN and uCDN over the ACME > > channel. > > > > Current: > > The reader is expected to understand the ACME delegation trust model > > (Section 7.1 of [RFC9115]) and security goal (Section 7.2 of > > [RFC9115]). In particular, the reader is expected to understand the > > criticality of the protection of the user account associated with the > > delegation; this account authorizes all the security-relevant > > operations between a dCDN and a uCDN over the ACME channel. > > --> > > > > > > Thank you. > > > > RFC Editor/ar > >
- [auth48] AUTH48: RFC-to-be 9538 <draft-ietf-cdni-… rfc-editor
- Re: [auth48] AUTH48: RFC-to-be 9538 <draft-ietf-c… rfc-editor
- Re: [auth48] AUTH48: RFC-to-be 9538 <draft-ietf-c… Alice Russo
- Re: [auth48] [E] Re: AUTH48: RFC-to-be 9538 <draf… Mishra, Sanjay
- Re: [auth48] AUTH48: RFC-to-be 9538 <draft-ietf-c… Alice Russo
- Re: [auth48] [E] Re: AUTH48: RFC-to-be 9538 <draf… Mishra, Sanjay
- Re: [auth48] AUTH48: RFC-to-be 9538 <draft-ietf-c… Alice Russo
- Re: [auth48] [E] Re: AUTH48: RFC-to-be 9538 <draf… Mishra, Sanjay
- Re: [auth48] [E] Re: AUTH48: RFC-to-be 9538 <draf… emile.stephan
- [auth48] question - Re: AUTH48: RFC-to-be 9538 <d… Alice Russo
- Re: [auth48] question - Re: AUTH48: RFC-to-be 953… frederic.fieau
- Re: [auth48] question - Re: AUTH48: RFC-to-be 953… Alice Russo