[secdir] Secdir review of draft-ietf-acme-authority-token

Magnus Nyström <magnusn@gmail.com> Tue, 16 November 2021 05:02 UTC

Return-Path: <magnusn@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9FBA33A0812; Mon, 15 Nov 2021 21:02:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FZn15hWkhXIa; Mon, 15 Nov 2021 21:02:07 -0800 (PST)
Received: from mail-il1-x130.google.com (mail-il1-x130.google.com [IPv6:2607:f8b0:4864:20::130]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 544823A080F; Mon, 15 Nov 2021 21:02:07 -0800 (PST)
Received: by mail-il1-x130.google.com with SMTP id i9so19038122ilu.8; Mon, 15 Nov 2021 21:02:07 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=r1HqioDdwxXybZzUxDaAG4dmFYJIAIZfcK/hZI41MqI=; b=YyaGGwrlXGm8+A6dFwJnuA0nqfy8M7+zKuVTK6X9iLSkb6tbSN2oy926iwNO4Nw5nV yRufHN/V+cJIcpRuhbmkTxETGyubd/ZpbkJhmEwZjCEW5e5xUbIYIfvRALWm6Fza5WLA oGam+Tgo4Hdae9zxK6d0kZRJm6S2m7xz3oVGzDSJR1G7HF2rrPuz0xoerfOoHykUwuHp 2uL+lgw3/eczcfUcI/1YBVUx2lclljQ29wKbG6ZOZjN+FUshN8X4dTYfWovPhKnbH2WV 4TFn0i5jfmhCMqccPi9+C6grnp2e1w/kp/2dvULADYmcCqYiBfUR1RvguWr5kHz7/Pon gc4Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=r1HqioDdwxXybZzUxDaAG4dmFYJIAIZfcK/hZI41MqI=; b=vYHfzBMKfZ7/kPf0FLbdCTsCV/+9nIzERwNZ0TlMk0aUuzMEUl81bbAIwkIT6VNpES jXoNPAQ4FKzoIchGCkfdBPC7ByoIsu8P5KJ3tOOG+cICugw6FxQni9EjG6jvTPe7C85M 0D+gbGySPJET7QHytUQXPvs9LVWEapZl3ut0Sih6i0iHI+sWiuliMQjuBuwSZgTPO/Wv qjTwUwAnsInV8nOKxCtAJA01Cq6jaOz/iFMBgTnQh+n8zzwMPssmgmY+jFCz7ZyBZMN9 v607onajb71TU7QRggD5YQpSWpihdCOxcpBOBCyD2Gb+NJ5jze1vcVnHuRc0RYh4Vann edNA==
X-Gm-Message-State: AOAM532TpA1eN+qFYPH9YV19GMvm0rFT1ZUQVvwIed/sTQVE8JOlzAJG dNc+0IWBYyh5ZE20C95lr+gU+39Bba3Ui1RoQ01mI3Z1
X-Google-Smtp-Source: ABdhPJyErcZXeRNUtw4L9crZMFi1qpoQoCj5Azwn4A3XlGuIvIL5NYZ281k7+dvv2A8lkdF4iJsjxC21LHSfMdLNk5s=
X-Received: by 2002:a05:6e02:1c8f:: with SMTP id w15mr2584617ill.147.1637038925478; Mon, 15 Nov 2021 21:02:05 -0800 (PST)
MIME-Version: 1.0
References: <CADajj4ZQnWkjKdWpBgsB0oyX8_Kzj6HOL-Vkm=TrByBQMEJfPw@mail.gmail.com> <CADajj4bCTF5EeF6DZkCHpP0_GTnUYQtqa0OE3qf3Z5_AmKWfyA@mail.gmail.com> <CADajj4YxgdNXkWX7dLP0nBDWXLSKFa8M_KWWCPCgfCibYtWkAw@mail.gmail.com> <CADajj4Yw13QWbSqF_hd+P_fcNA4_YvdwqF=OgJ4pdS_1vrWphA@mail.gmail.com> <CADajj4Zw+Js8neUujMbekReVdMMFcz46NDwdHsMdWXob6Upc_w@mail.gmail.com> <CADajj4aoBaSYTFFnvAjcL7mTnfoUJOWzvve=NRhgB3qe5X8uWQ@mail.gmail.com> <CADajj4ZTBoCHo2=RJhYFNMi+5L5JJwc_EqBkeyYUUfYsVk-vVw@mail.gmail.com> <CADajj4bAjmbXjQkzJPXBihWZko2msmrHG=-4D9zF4YaFAeU0XA@mail.gmail.com>
In-Reply-To: <CADajj4bAjmbXjQkzJPXBihWZko2msmrHG=-4D9zF4YaFAeU0XA@mail.gmail.com>
From: =?UTF-8?Q?Magnus_Nystr=C3=B6m?= <magnusn@gmail.com>
Date: Mon, 15 Nov 2021 21:01:54 -0800
Message-ID: <CADajj4b3iXHJHM8cEiFMJPK3XmcpW=8Cy2ERHpfuGw_NF53S7Q@mail.gmail.com>
To: secdir@ietf.org, draft-ietf-acme-authority-token@ietf.org
Content-Type: multipart/alternative; boundary="000000000000a2fdb105d0e0d3d6"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/oj24ozlByi7hHzTyCi7HwWrGxRE>
Subject: [secdir] Secdir review of draft-ietf-acme-authority-token
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Nov 2021 05:02:12 -0000

 I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the IESG.
These comments were written primarily for the benefit of the security area
directors.  Document editors and WG chairs should treat these comments just
like any other comments.

This document describes use of "authority tokens" in the context of ACME,
their purpose, use and format.

The document is straightforward and the Security Considerations section
seems adequate.Generally, iIt may help readers to include a summary of all
the options and any recommended values. for the tokens, e.g. lifetime of
issued tokens. For the Security Considerations section, shouldn't mandated
supported algorithms and key sizes be specified?

Editorial: The document is in need of a grammar / wording polish but I
expect the rfc-editors to handle this.For example, "defines a the" in the
Introduction section, and "in the way" in Section 5.1.

Thanks,
-- Magnus




-- 
-- Magnus