Hi Mike,
Just a reminder that I do recall at least a few folks that spoke up in the f2f meeting giving support that were visiting from the Stir WG that would be the primary audience and may not be on the ACME list. Would that count towards consensus, I would hope?
-Chris Hello ACME!
The Call for Adoption for draft-wendt-acme-authority-token-jwtclaimcon closed on 2025-09-22. Despite MCR's positive review, one comment does not constitute working group consensus. I am going to leave this document in datatracker in the state Candidate For Adoption. I encourage the authors to present at the ACME session it IETF 124 with the goal of drumming up more interest in this draft, particularly from implementers.
I read acme-authority-token-jwtclaimcon-03.
I was led into reviewing RFC8225, and RFC8226.
The document seems well formed and very complete, and I think it could
rapidly go to WGLC.
I found the explanation around token-authority in section 4 a bit hard to
understand. I was in "smile and nod" mode. I think those who know will
know, but reviewers might balk. I'm rather unclear what the ACME client will
do with this. I thought I understood RFC9447 well enough already, but
clearly I don't.
More consistent indenting of the JSON/JWT would be appreciated, such as the
POST in section 4.
I think that the "url" attribute in the Authorization object is the identical
prV_B... as from RFC8555. That's not wrong, it's just an example...., but I
worry that someone will think they need to be the same, and I think that in
real life they need to be different. So make up a new random URL.
I hadn't realized that these STIR PKIX certificates had JWT in an extension!
Is this new? Is this why this document exists?
Is the account id mentioned in section 5.2 related to the ACME Account?
I think not.
Should section 5.2 mention returning the response to the ACME server at the
challenge URL?
}5.5. ACME Challenges requiring multiple Authority Tokens
}
} The ACME new-order request may include multiple identifiers, each of
} which is authorized separately. With the introduction of this
} specification, for STIR certificates [RFC8226] two identifier types
} are authorized using Authority Tokens:
I read the document to understand how this document was dealing/documenting
multiple identities, as ACME-RATS needs/wants to do the same.
Please include the DER for the examples in section 5.5.1.1 and 5.5.1.2.
UTF8String '"nam": "James Bond"'
The use of ' and " quotes here was confusing to me at first scan.
I think that inner parts are actually JSON?
Section 5.5.2 has "sti-ca.com" rathere than example.com.
Who will be implementing this?
--
Michael Richardson <[email protected]> . o O ( IPv6 IøT consulting )
Sandelman Software Works Inc, Ottawa and Worldwide
|
_______________________________________________
Acme mailing list -- [email protected]
To unsubscribe send an email to [email protected]
