[TLS] comments on draft-subcerts

"Salz, Rich" <rsalz@akamai.com> Tue, 14 July 2020 17:42 UTC

Return-Path: <rsalz@akamai.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id B41ED3A0C5E for <tls@ietfa.amsl.com>; Tue, 14 Jul 2020 10:42:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id DdXqgPI1AthJ for <tls@ietfa.amsl.com>; Tue, 14 Jul 2020 10:42:26 -0700 (PDT)
Received: from mx0a-00190b01.pphosted.com (mx0a-00190b01.pphosted.com [IPv6:2620:100:9001:583::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 68B783A0C55 for <tls@ietf.org>; Tue, 14 Jul 2020 10:42:25 -0700 (PDT)
Received: from pps.filterd (m0122333.ppops.net []) by mx0a-00190b01.pphosted.com ( with SMTP id 06EHSb0e009104 for <tls@ietf.org>; Tue, 14 Jul 2020 18:42:24 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=from : to : subject : date : message-id : content-type : mime-version; s=jan2016.eng; bh=K8AfqjTiqhulZXjsnnTewvoKdxGEzXdrFU6TiiGpjyw=; b=cNwkwuMdG4FJci3x9txr4Z/cLvt4lHHmZkZCVo8ROB5F7ruPbarSjBN87vYC37Exw334 f9u1VdHxZSYq3V6qXdfZhxx3C/X+RxFNIlWu/n1YFAxgudoUud2KfT3kNL2GzKzJe++x xaoKS5T5ay0bQHdUcV5m/0wknWMxOSm86H/rN+8H8+qyk07jQ/StLK/u6ttj0jMNJZ4/ IDosOKft+JY16G+jmzTLX0z8V7nPg1l7cczcSxRx8pvDteBfA89n7nxf9M1BjR6VJY3J PYZvvTSNrp9g8RD+Ki0MmfyjsX84W8dx3tuAzAVnpVVxNZh16CgSo+7KGpuCujJvBpOm 4w==
Received: from prod-mail-ppoint7 (a72-247-45-33.deploy.static.akamaitechnologies.com [] (may be forged)) by mx0a-00190b01.pphosted.com with ESMTP id 327anen43m-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for <tls@ietf.org>; Tue, 14 Jul 2020 18:42:24 +0100
Received: from pps.filterd (prod-mail-ppoint7.akamai.com []) by prod-mail-ppoint7.akamai.com ( with SMTP id 06EHZ7SS012879 for <tls@ietf.org>; Tue, 14 Jul 2020 13:42:21 -0400
Received: from email.msg.corp.akamai.com ([]) by prod-mail-ppoint7.akamai.com with ESMTP id 3278rxqsy1-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT) for <tls@ietf.org>; Tue, 14 Jul 2020 13:42:21 -0400
Received: from USTX2EX-DAG1MB3.msg.corp.akamai.com ( by ustx2ex-dag1mb1.msg.corp.akamai.com ( with Microsoft SMTP Server (TLS) id 15.0.1497.2; Tue, 14 Jul 2020 12:42:20 -0500
Received: from USTX2EX-DAG1MB3.msg.corp.akamai.com ([]) by ustx2ex-dag1mb3.msg.corp.akamai.com ([]) with mapi id 15.00.1497.006; Tue, 14 Jul 2020 12:42:20 -0500
From: "Salz, Rich" <rsalz@akamai.com>
To: "tls@ietf.org" <tls@ietf.org>
Thread-Topic: comments on draft-subcerts
Thread-Index: AQHWWgYf7lURQ0CEx0qsqH38k+s1qA==
Date: Tue, 14 Jul 2020 17:42:20 +0000
Message-ID: <A2E098AE-6ACE-4999-ADF2-5C1211E70CCB@akamai.com>
Accept-Language: en-US
Content-Language: en-US
user-agent: Microsoft-MacOutlook/16.38.20061401
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: []
Content-Type: multipart/alternative; boundary="_000_A2E098AE6ACE4999ADF25C1211E70CCBakamaicom_"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.235, 18.0.687 definitions=2020-07-14_06:2020-07-14, 2020-07-14 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxlogscore=444 mlxscore=0 suspectscore=0 malwarescore=0 spamscore=0 adultscore=0 phishscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2006250000 definitions=main-2007140127
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.235, 18.0.687 definitions=2020-07-14_07:2020-07-14, 2020-07-14 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 malwarescore=0 bulkscore=0 adultscore=0 mlxscore=0 spamscore=0 suspectscore=0 clxscore=1015 lowpriorityscore=0 phishscore=0 mlxlogscore=397 priorityscore=1501 impostorscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2006250000 definitions=main-2007140128
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/spRhlaoxfs2Q7H20jHxcHhd3h3k>
Subject: [TLS] comments on draft-subcerts
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Jul 2020 17:42:28 -0000

In no particular order. Mostly nits.

Sec 3.2, I understand the concern of ACME being a third-party dependency, while the origin is not really.  Perhaps a sentence of explanation why it is, would help.  Or maybe just say “with an ACME server”  And then mention ACME in the origin?

Sec 4, the “valid_time” says MUST NOT exceed seven days.  That’s relative to client and server concept of “now,” right?  See note below.

Sec 4.1.1 should say that SignatureSchemeList is the same as the one in RFC 8446.  I’d prefer to see the duplication removed.

Sec 4.2 doesn’t seem to agree with the complete ASN1 in Appendix A.  The latter has DelegatedCredentialExtn which is mentioned in prose and a TBD in 4.2  Perhaps a comment or some other words to tie them together?  Or does that issue just go away when IANA does the registration?

Sec 7.5, I would put the incognito mode in a separate paragraph to call it out more clearly.

Note below:
It could be possible for the server to pre-generate delegated credentials and either hold them or distribute them. I think that is worth mentioning, with the caveat that they cannot be used until within seven days of “now”