In no particular order. Mostly nits.
Sec 3.2, I understand the concern of ACME being a third-party dependency, while
the origin is not really. Perhaps a sentence of explanation why it is, would
help. Or maybe just say “with an ACME server” And then mention ACME in the
origin?
Sec 4, the “valid_time” says MUST NOT exceed seven days. That’s relative to
client and server concept of “now,” right? See note below.
Sec 4.1.1 should say that SignatureSchemeList is the same as the one in RFC
8446. I’d prefer to see the duplication removed.
Sec 4.2 doesn’t seem to agree with the complete ASN1 in Appendix A. The latter
has DelegatedCredentialExtn which is mentioned in prose and a TBD in 4.2
Perhaps a comment or some other words to tie them together? Or does that issue
just go away when IANA does the registration?
Sec 7.5, I would put the incognito mode in a separate paragraph to call it out
more clearly.
Note below:
It could be possible for the server to pre-generate delegated credentials and
either hold them or distribute them. I think that is worth mentioning, with the
caveat that they cannot be used until within seven days of “now”
Tnx.
/r$
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
