Hello ACME! The Call for Adoption for draft-wendt-acme-authority-token-jwtclaimcon closed on 2025-09-22. Despite MCR's positive review, one comment does not constitute working group consensus. I am going to leave this document in datatracker in the state Candidate For Adoption. I encourage the authors to present at the ACME session it IETF 124 with the goal of drumming up more interest in this draft, particularly from implementers.
On Wed, 10 Sept 2025 at 16:14, Michael Richardson <[email protected]> wrote: > > I read acme-authority-token-jwtclaimcon-03. > I was led into reviewing RFC8225, and RFC8226. > The document seems well formed and very complete, and I think it could > rapidly go to WGLC. > > I found the explanation around token-authority in section 4 a bit hard to > understand. I was in "smile and nod" mode. I think those who know will > know, but reviewers might balk. I'm rather unclear what the ACME client > will > do with this. I thought I understood RFC9447 well enough already, but > clearly I don't. > > More consistent indenting of the JSON/JWT would be appreciated, such as the > POST in section 4. > > I think that the "url" attribute in the Authorization object is the > identical > prV_B... as from RFC8555. That's not wrong, it's just an example...., but > I > worry that someone will think they need to be the same, and I think that in > real life they need to be different. So make up a new random URL. > > I hadn't realized that these STIR PKIX certificates had JWT in an > extension! > Is this new? Is this why this document exists? > > Is the account id mentioned in section 5.2 related to the ACME Account? > I think not. > > Should section 5.2 mention returning the response to the ACME server at the > challenge URL? > > }5.5. ACME Challenges requiring multiple Authority Tokens > } > } The ACME new-order request may include multiple identifiers, each of > } which is authorized separately. With the introduction of this > } specification, for STIR certificates [RFC8226] two identifier types > } are authorized using Authority Tokens: > > I read the document to understand how this document was dealing/documenting > multiple identities, as ACME-RATS needs/wants to do the same. > > Please include the DER for the examples in section 5.5.1.1 and 5.5.1.2. > UTF8String '"nam": "James Bond"' > > The use of ' and " quotes here was confusing to me at first scan. > I think that inner parts are actually JSON? > > Section 5.5.2 has "sti-ca.com" rathere than example.com. > > Who will be implementing this? > > -- > Michael Richardson <[email protected]> . o O ( IPv6 IøT consulting ) > Sandelman Software Works Inc, Ottawa and Worldwide >
_______________________________________________ Acme mailing list -- [email protected] To unsubscribe send an email to [email protected]
