Re: [Acme] Benjamin Kaduk's Discuss on draft-ietf-acme-acme-14: (with DISCUSS and COMMENT)
> On Aug 29, 2018, at 8:10 PM, Richard Barnes wrote: > > > I am not an ART AD, but there is not yet an internationalization > directorate, and seeing statements like "inputs for digest computations > MUST be encoded using the UTF-8 character set" (Section 5) without > additional discussion of normalization and/or what the canonical form for > the digest input is makes me nervous. Has sufficient internationalization > review been performed to ensure that there are no latent issues in this > space? > > Two of the three ART ADs have already signed off, so we have that going for > us :) > > The only place we have human-readable text is in the problem documents, so at > that level, the i18n considerations are handled by that spec. Other than > that, everything is ASCII, so saying "UTF-8" is just a fancy way of saying, > "don't send extra zero bytes". > I am an ART AD, for what it’s worth :-) I didn’t sweat this because of the exact reason mentioned; that is, this seems mostly not intended to be read by humans. On a related note, I did note some heartburn about the reference to RFC 3492 for IDNA, but for the purposes of ACME I suspect that’s the right thing to do. OTOH, Alexey is more of an expert on IDNA than I am. Alexey? Ben. signature.asc Description: Message signed with OpenPGP ___ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme
Re: [Acme] Ben Campbell's Yes on draft-ietf-acme-acme-14: (with COMMENT)
Thanks for the response! One clarification below: Ben. > On Aug 29, 2018, at 8:57 AM, Richard Barnes wrote: > [...] > > > *** Editorial and Nits *** > > > §10.2: " >It is RECOMMENDED that the server perform DNS queries and make HTTP >connections from various network perspectives..." > > §7.3.6: " The inner JWS is NOT REQUIRED to have a "nonce" header parameter." > > "NOT REQUIRED" is not among the terms defined by 2119/8174. I suspect this is > intended as a statement of fact, and should therefore not be capitalized. > > Changed "NOT REQUIRED to have" to "MAY omit". I do want some 2119/8174 > language here since it's modifying normative requirements above > > > I'm not sure what that means. Given that this uses an upper-case RECOMMENDED, > can it be stated more concretely? > > Not totally sure what's unclear here, but I added some words to try to > clarify. Oops, that was a cut and paste error. The “I’m not sure what that means...” comment was intended to apply to the quote from §10.2. [...] signature.asc Description: Message signed with OpenPGP ___ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme
[Acme] Ben Campbell's Yes on draft-ietf-acme-acme-14: (with COMMENT)
Ben Campbell has entered the following ballot position for draft-ietf-acme-acme-14: Yes When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-acme-acme/ -- COMMENT: -- Thanks for the work on this; I'm happy to see it nearing completion. I have a few minor comments: *** Substantive *** §6.1: "The ACME server acts as an HTTP and HTTPS client when validating challenges via HTTP." Section 8.3 says that HTTP challenge validation cannot use HTTPS. Also, §6 says that all interactions between the client and server use HTTPS. I recognize challenge validation is not really an interaction between the client and server, but I suspect some readers may be confused. - "ACME servers SHOULD follow the recommendations of [RFC7525] when configuring their TLS implementations." Why not MUST? §7.3: "... and the server MUST reject new-account requests that do not have the "termsOfServiceAgreed" field set to "true". " The MUST seems overly strong there; is there no room for local policy? Would it be completely insane to offer optional ToS? (For example, maybe one gets some additional service for agreeing to terms, but still gets a cert either way.) - "Clients SHOULD NOT automatically agree to terms by default." Why not MUST NOT? §8.3: - Is there a lifetime after which a provisioned HTTP resource in response to a challenge should go away? *** Editorial and Nits *** §2, first paragraph: Is the "user" the person requesting services from the ACME server? §10.2: " It is RECOMMENDED that the server perform DNS queries and make HTTP connections from various network perspectives..." §7.3.6: " The inner JWS is NOT REQUIRED to have a "nonce" header parameter." "NOT REQUIRED" is not among the terms defined by 2119/8174. I suspect this is intended as a statement of fact, and should therefore not be capitalized. I'm not sure what that means. Given that this uses an upper-case RECOMMENDED, can it be stated more concretely? §13.3: Is this section also to be removed? ___ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme
