I read acme-authority-token-jwtclaimcon-03. I was led into reviewing RFC8225, and RFC8226. The document seems well formed and very complete, and I think it could rapidly go to WGLC.
I found the explanation around token-authority in section 4 a bit hard to
understand. I was in "smile and nod" mode. I think those who know will
know, but reviewers might balk. I'm rather unclear what the ACME client will
do with this. I thought I understood RFC9447 well enough already, but
clearly I don't.
More consistent indenting of the JSON/JWT would be appreciated, such as the
POST in section 4.
I think that the "url" attribute in the Authorization object is the identical
prV_B... as from RFC8555. That's not wrong, it's just an example...., but I
worry that someone will think they need to be the same, and I think that in
real life they need to be different. So make up a new random URL.
I hadn't realized that these STIR PKIX certificates had JWT in an extension!
Is this new? Is this why this document exists?
Is the account id mentioned in section 5.2 related to the ACME Account?
I think not.
Should section 5.2 mention returning the response to the ACME server at the
challenge URL?
}5.5. ACME Challenges requiring multiple Authority Tokens
}
} The ACME new-order request may include multiple identifiers, each of
} which is authorized separately. With the introduction of this
} specification, for STIR certificates [RFC8226] two identifier types
} are authorized using Authority Tokens:
I read the document to understand how this document was dealing/documenting
multiple identities, as ACME-RATS needs/wants to do the same.
Please include the DER for the examples in section 5.5.1.1 and 5.5.1.2.
UTF8String '"nam": "James Bond"'
The use of ' and " quotes here was confusing to me at first scan.
I think that inner parts are actually JSON?
Section 5.5.2 has "sti-ca.com" rathere than example.com.
Who will be implementing this?
--
Michael Richardson <[email protected]> . o O ( IPv6 IøT consulting )
Sandelman Software Works Inc, Ottawa and Worldwide
signature.asc
Description: PGP signature
_______________________________________________ Acme mailing list -- [email protected] To unsubscribe send an email to [email protected]
