IETF Logo Mail Archive

Re: [Gen-art] Genart last call review of draft-ietf-acme-acme-11

worley@ariadne.com (Dale R. Worley) Wed, 25 April 2018 00:39 UTC

Return-Path: <worley@alum.mit.edu>
X-Original-To: gen-art@ietfa.amsl.com
Delivered-To: gen-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 989B912DA02 for <gen-art@ietfa.amsl.com>; Tue, 24 Apr 2018 17:39:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.685
X-Spam-Level:
X-Spam-Status: No, score=-1.685 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.25, RCVD_IN_DNSWL_LOW=-0.7, SPF_SOFTFAIL=0.665] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Oo1-aYxUCRUI for <gen-art@ietfa.amsl.com>; Tue, 24 Apr 2018 17:39:51 -0700 (PDT)
Received: from resqmta-ch2-09v.sys.comcast.net (resqmta-ch2-09v.sys.comcast.net [IPv6:2001:558:fe21:29:69:252:207:41]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5D94912D87E for <gen-art@ietf.org>; Tue, 24 Apr 2018 17:39:51 -0700 (PDT)
Received: from resomta-ch2-05v.sys.comcast.net ([69.252.207.101]) by resqmta-ch2-09v.sys.comcast.net with ESMTP id B7qnf48y5V2P2B8TOfmvTP; Wed, 25 Apr 2018 00:39:50 +0000
Received: from hobgoblin.ariadne.com ([IPv6:2601:192:4603:9471:222:fbff:fe91:d396]) by resomta-ch2-05v.sys.comcast.net with ESMTPA id B8TMfzUCwZzcdB8TNf1gGC; Wed, 25 Apr 2018 00:39:49 +0000
Received: from hobgoblin.ariadne.com (hobgoblin.ariadne.com [127.0.0.1]) by hobgoblin.ariadne.com (8.14.7/8.14.7) with ESMTP id w3P0dmYi019062; Tue, 24 Apr 2018 20:39:48 -0400
Received: (from worley@localhost) by hobgoblin.ariadne.com (8.14.7/8.14.7/Submit) id w3P0dmrm019057; Tue, 24 Apr 2018 20:39:48 -0400
X-Authentication-Warning: hobgoblin.ariadne.com: worley set sender to worley@alum.mit.edu using -f
From: worley@ariadne.com
To: Richard Barnes <rlb@ipv.sx>
Cc: gen-art@ietf.org, draft-ietf-acme-acme.all@ietf.org, acme@ietf.org, ietf@ietf.org
In-Reply-To: <CAL02cgQ9BC8HzOZZjnYBz5gsH8ZEgGjFcPeGZvrmqVjfHefB7g@mail.gmail.com> (rlb@ipv.sx)
Sender: worley@ariadne.com
Date: Tue, 24 Apr 2018 20:39:47 -0400
Message-ID: <87lgdc9l0s.fsf@hobgoblin.ariadne.com>
X-CMAE-Envelope: MS4wfIlp1wXYO4HEnAsY9KTQH2kq4A4QAfOjNfaBIo0Z7hl9UNOpSfd7m1vtyx+Z7KMVCu7OR4lg9S4LVCTR674DA/D7NtHgIZTmnJF857h48xYGVIpl4M/f AH9oW8RaZ129hK8FnYnPFpVzNfwpoqKFUMf9N5UQHsDYLuoxmdqFk4M9DEZkg9bQY/A1z+BSvP9O7QRA9A/nC/R+tdQkmY8O64q+OLLMD5d+SX4zn1K6Ch47 hvD9BosuBVptwGcpNP13dv1cBSv4i7oz/r1icvfR4kFbOi4Zlu2DU+SSfL3tr9GMjtdx/4C4V63tTrf5e5H48TISNhq08AXY+nqGjasAzKVTMJOAg8oYsQqk VfH5wNAl
Archived-At: <https://mailarchive.ietf.org/arch/msg/gen-art/u5yfa6SEZJ-1r8UWo1WCfPzpdks>
Subject: Re: [Gen-art] Genart last call review of draft-ietf-acme-acme-11
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/gen-art/>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Apr 2018 00:39:52 -0000

Richard Barnes <rlb@ipv.sx> writes:
> [...]
> In other words, there's no need for version negotiation in-band to the
> protocol.

Yeah, that makes sense.

>> The handling of "terms of service agreement" seems to be insufficient,
>> [...]
>
> This mechanism has been reviewed by multiple CAs and found to be sufficient
> for their needs.  A prior version had an explicit URL, and it was found to
> cause interop problems.

I'll take their word for it.  Personally, I wouldn't consider it
particularly sufficient for *my* needs to have an alleged assent to
terms of service without any clear record of what I'm assenting *to*.
OTOH, given that there's no such record, it'd be difficult for a CA to
refute my claim of what the agreement was...

>> 6.6.1.  Subproblems
>>
>> What error type should be used in a problem document when there are
>> subproblem documents?  It seems that in this situation, the intention
>> is that the top-level problem document is not intended to carry error
>> information itself, so you want to define a "subproblems" error type,
>> to use when there is no natural overall error type.

Any comments here?

> I don't think it's all that useful to parse close semantics into this
> diagram.  "newNonce" is different, in that it serves an underlying
> transport purpose, rather than a certificate management purpose.

I'd say that if two things are shown differently in a diagram, then they
ought to *be* different, and if they're the same, they should be shown
the same way.  Certainly, when I looks at a diagram and one thing is not
shown the same way as the others, I want to know what the semantics of
that is.

>> 7.3.5.  External Account Binding
>> [...]
> You seem to be envisioning a scenario where a CA relies on accounts
> established with some third party service, which AFAIK no CA actually does.

The title of the section is "External Account Binding", and I
reflexively take "external" to mean "external to the relationship
between the CA and the client".  I think what you want to do is revise
the first paragraph

   The server MAY require a value for the "externalAccountBinding" field
   to be present in "newAccount" requests.  This can be used to
   associate an ACME account with an existing account >>that the user has
   with the CA<< in a non-ACME system, such as a CA customer database.

And perhaps change the section title to "Binding to a non-ACME Account".

Dale

v2.23.0 | Report a Bug | By Email