These changes resolve my concerns.
Russ
> On Apr 9, 2021, at 5:40 PM, Brian Sipos <bsi...@rkf-eng.com> wrote:
>
> Russ,
> Thank you for the review comments. My responses are inline with prefix
> "[BS1]".
>
>> I think that this document is almost ready. I have a few comments.
>
>> MAJOR:
>
>> Section 4 points to Section 4.4.2 of [I-D.ietf-dtn-tcpclv4]; but that
>> profile does not require the certificate to
> include an EKU of id-kp-bundleSecurity. When this document is used to verify
> control over the DTN Node ID, I think the
> issued certificate MUST include an EKU of id-kp-bundleSecurity. If other
> means are used to validate other identities,
> then other EKU values might be included as well.
>
> [BS1] This seems reasonable to require. I suppose the "email-reply-00"
> document [1] just leaves out any discussion of
> EKU because the preexisting S/MIME documents define a more concrete
> certificate profile and there is a lot of momentum
> behind S/MIME implementation. I'm going to add statements about the EKU in
> the CSR and the issued certificate.
>
>> Section 4.2 is talking about S/MIME certificates. I think there is a
>> cut-and-paste error here.
>
> [BS1] Yes, these statements should replace "S/MIME" with "bundle security".
>
>> MINOR:
>
>> Section 3.1 says: "The only over-the-wire data required by ACME for a
>> Challenge Bundle is a nonce token ...". This
> is the first time that "nonce" appears in the document. Please reword.
>
> [BS1] I removed this statement and replaced it with a statement about the
> token-part2 scope:
> The <token-part2> value included in this object is fixed for the entire
> challenge, and may correspond with multiple
> separate <token-part1> values when multiple Challenge Bundles are sent for a
> single validation.
>
>> Section 3.3 and 3.4: in the beginning of the section, please add a pointer
>> to the document that defines these
> parameters. I think it is draft-ietf-dtn-bpbis.
>
> [BS1] That is the correct reference. I am adding a statement at the top of
> each section.
>
>> Section 6.1: please provide a reference for "BPSEC key material", and please
>> spell out "BCB".
>
> [BS1] I removed this speculative text and replaced it with:
> It is possible for intermediate BP nodes to encapsulate-and-encrypt Challenge
> and/or Response Bundles while they
> traverse untrusted networks, but that is a DTN configuration matter outside
> of the scope of this document.
>
>> NITS:
>
>> Section 1: please spell out BP on first use.
>> Section 2: s/wildcard ("*") character/wildcard character ("*")/
>> Section 6.2: please spell out "BIB".
>
> [BS1] I am correcting all of these typos.
>
>
> [1] https://tools.ietf.org/html/draft-ietf-acme-email-smime-14
>
> _______________________________________________
> Acme mailing list
> Acme@ietf.org
> https://www.ietf.org/mailman/listinfo/acme
_______________________________________________
Acme mailing list
Acme@ietf.org
https://www.ietf.org/mailman/listinfo/acme
