Hi Roman, Apologies for missing these emails. I have updated a new version of the draft 11 to address these final issues.
For the last comment about “x5u” vs “x5c” i have updated the verification procedures to incorporate both possibilities. Thanks to you and Sean for guidance on other fixes as well. -Chris > On Oct 20, 2022, at 10:05 PM, Roman Danyliw <[email protected]> wrote: > > Hi! > > Thanks for the WGLC to confirm the changes made to > draft-ietf-acme-authority-token-tnauthlist in response to the IESG review. > I've asked the three ADs holding DISCUSS positions to re-review the document. > > I also reviewed the document again and went through the diffs with the chairs > and Sean Turner (ARTART reviewer) (thank you!) to generate the following > list of additional edits to make or discussion to have: > > (1) Per Paul's ballot held for Francesca > ==[ snip ]== > ** Section 3. > > FP: the response is missing the Content-Type field > ==[ snip ]== > > Edit to make: > > OLD: > > HTTP/1.1 201 Created > Replay-Nonce: MYAuvOpaoIiywTezizk5vw > Location: https://example.com/acme/order/1234 > > NEW: > > HTTP/1.1 201 Created > Content-Type: application/json > Replay-Nonce: MYAuvOpaoIiywTezizk5vw > Location: https://example.com/acme/order/1234 > > (2) Per Éric ballot > > ==[ snip ]== > -- Section 6 -- > In "then the CA MUST set the challenge object "status" to "valid"", isn't it > up to the ACME server to do this action ? > ==[ snip ]== > > Edit to make: > > s/then the CA MUST/then the ACME server MUST/ > > (3) Per Lar's ballot > > -- Section 5.4: > OLD > "ca" is an optional key, if it not included the "ca" value is considered > false by default. > NEW > "ca" is an optional key, if not included the "ca" value is considered false > by default. > > -- Section 9: s/a SPC/an SPC > > (4) Per Ben's ballot > > ==[ snip ]== > (3) I think my discuss point on draft-ietf-acme-authority-token about > how the issuer is identified will also apply (with slight modification) > to this document -- in §5.1 we have text that indicates either "iss" or > "x5u" identifies the issuer, which I do not believe to be accurate. > > ==[ snip ]= > > 5.1. "iss" claim > > The "iss" claim is an optional claim defined in [RFC7519] > Section 4.1.1. It can be used as a URL identifying the Token > Authority that issued the TNAuthList Authority Token beyond the "x5u" > or other Header claims that identify the location of the certificate > or certificate chain of the Token Authority used to validate the > TNAuthList Authority Token. > > > Why does draft-ietf-acme-authority-token allow for the possibility of "x5c", > but the text here doesn't mention it? > > Thanks, > Roman > > _______________________________________________ > Acme mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/acme _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
