[Acme] AD review of draft-ietf-acme-subdomains-04

Sat, 29 Oct 2022 14:58:09 -0700 

Hi!

I performed an AD review of draft-ietf-acme-subdomains-04.  Thanks for this 
work to extend ACME capability.  I have a few comments below, but they aren't 
significant enough to hold the document.  Please address them concurrently with 
IETF LC.

** Section 1.  Editorial.

   ACME [RFC8555] defines a protocol that a certification authority (CA)
   and an applicant can use to automate the process of domain name
   ownership validation and X.509v3 (PKIX) [RFC5280] certificate
   issuance.  This document outlines how ACME can be used to issue
   subdomain certificates, without requiring the ACME client to
   explicitly fulfill an ownership challenge against the subdomain
   identifiers - the ACME client need only fulfill an ownership
   challenge against a parent domain identifier.

Sentence one talks about a "CA" and an "applicant".  With no bridging, sentence 
two starts using a different term of "ACME client".

** Section 2.  Editorial. This section takes direct quotes out of RFC8499 but 
does not put quotation marks around them.  However, when text is taken from 
RFC1034 it has quotes.  Recommend consistency.

** Section 3.  As with the clarification on identifiers", consider saying a bit 
more about ACME supporting multiple validation methods.  Point to 
https://www.iana.org/assignments/acme/acme.xhtml#acme-validation-methods would 
make for an easy and durable enumeration.

** Section 3.
   ACME places the following restrictions on "identifiers":

   *  [RFC8555] section 7.1.4: the only type of "identifier" defined by
      the ACME specification is an FQDN: "The only type of identifier
      defined by this specification is a fully qualified domain name
      (type: "dns").  The domain name MUST be encoded in the form in
      which it would appear in a certificate."

It seems like there is a subtle distinction to clarify here.  Yes, RFC8555 only 
specified the "dns" identifier.  However, it also enabled a broader ACME 
ecosystem via 
https://www.iana.org/assignments/acme/acme.xhtml#acme-identifier-types. Isn't 
the relevant thing to say here that _this_ document only supports the "dns" 
identifier.

Regards,
Roman

_______________________________________________
Acme mailing list
Acme@ietf.org
https://www.ietf.org/mailman/listinfo/acme

Reply via email to