Hi Peter, Many thanks for the speedy review! I'll merge in those editorial nits.
> what does it mean for a nonce to have a validity period? This requirement is lifted from the CA/BF Baseline Requirements, basically it means once a server has generated a nonce it must not accept a response to a challenge using that nonce >30 days after the nonce was generated. I think a little rewording is in order on that point to make it clearer. > In 6.4, will it be clear to people more proficient in ACME that a null value for caa becomes a zero length string for signature calculation purposes? This is true, and I agree it's presently not clear enough that this is the case. > I wonder what would happen if the CA's software was running under something like `torify`. If my understanding of how torify works this would both a) not work for hidden services - as Torify doesn't intercept DNS lookups and b) violate section 8.4 as Tor would be used for websites on the open internet. I don't think an extra note on this is required. > Should 8.7 have a few words on Certificate Transparency? That's probably a good idea. While there's a separate discussion to be had on CT within Tor, as things currently stand a Hidden Service will make itself more known by causing itself to be included in CT logs. ------------------------------ Any statements contained in this email are personal to the author and are not necessarily the statements of the company unless specifically stated. AS207960 Cyfyngedig, having a registered office at 13 Pen-y-lan Terrace, Caerdydd, Cymru, CF23 9EU, trading as Glauca Digital, is a company registered in Wales under № 12417574 <https://find-and-update.company-information.service.gov.uk/company/12417574>, LEI 875500FXNCJPAPF3PD10. ICO register №: ZA782876 <https://ico.org.uk/ESDWebPages/Entry/ZA782876>. UK VAT №: GB378323867. EU VAT №: EU372013983. Turkish VAT №: 0861333524. South Korean VAT №: 522-80-03080. AS207960 Ewrop OÜ, having a registered office at Lääne-Viru maakond, Tapa vald, Porkuni küla, Lossi tn 1, 46001, trading as Glauca Digital, is a company registered in Estonia under № 16755226. Estonian VAT №: EE102625532. Glauca Digital and the Glauca logo are registered trademarks in the UK, under № UK00003718474 and № UK00003718468, respectively. On Tue, 20 Aug 2024 at 13:10, Peter van Dijk via Datatracker < nore...@ietf.org> wrote: > Reviewer: Peter van Dijk > Review result: Ready with Nits > > I am the assigned DNSDIR reviewer for this document. This review is for > version > -02, although I see that the working version on GitHub is slightly newer. > > While writing this review, I filed a PR on GitHub with a few small > editorial > nits (https://github.com/AS207960/acme-onion/pull/3). > > Note that while I am well versed in DNS, I'm somewhat weaker when it comes > to > all of Tor, ACME, and X.509 in general, so it is possible I ask dumb > questions > :-) > > This document is in great shape and appears to be well thought out. I see > nothing that prevents publication, but I do have a few questions/small > notes. I > have marked this review as "Ready with Nits". > > I cannot fully vet section 3.2, but it did raise a question for me: > > > nonce ... "It MUST NOT be valid for more than 30 days." > > what does it mean for a nonce to have a validity period? > > I also cannot fully judge section 4, but it seems coherent. > > Section 6 comes closer to DNS than any other part of the document, and this > mapping of CAA into service data makes sense to me. The single bit > "caa-critical" signal in 6.3 is clever. > > 6.4 makes me wonder if we could do the same trick in DNS land - using > DNSSEC > keys to sign a CAA sent in an ACME request, but I digress :) > > In 6.4, will it be clear to people more proficient in ACME that a null > value > for caa becomes a zero length string for signature calculation purposes? > (Assuming that that is true.) > > I agree with the considerations in section 8.1, although I wonder what > would > happen if the CA's software was running under something like `torify`. > > Should 8.7 have a few words on Certificate Transparency? > > The rest of 8 makes sense to me. > > In Appendix A, the bit > > ".onion" s > > looks weird. Perhaps lose the space? (There's another spurious space, with > different origins, before Iain's last name in the Acknowledgements.) > > > > _______________________________________________ > Acme mailing list -- acme@ietf.org > To unsubscribe send an email to acme-le...@ietf.org >
_______________________________________________ Acme mailing list -- acme@ietf.org To unsubscribe send an email to acme-le...@ietf.org
