Roman Danyliw has entered the following ballot position for draft-ietf-acme-onion-05: No Objection
When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ for more information about how to handle DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-acme-onion/ ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- Thank you to Dale R. Worley for the GENART review. ** Per the normative Tor reference: [tor-spec] The Tor Project, "Tor Specifications", <https://spec.torproject.org/print.html>. Is there any versioning to the protocol or timestamp that can be provided for this bare URL ** Section 3.2. Consider providing a reference to RFC2986 for PKCS#10. ** Section 4. instead the ACME server MUST attempt to calculate its CLIENT-ID as per Part "Client Behaviour" of [tor-spec]. The section name in [tor-spec] is “Client Behavior” – “American English” spelling. ** Section 3.2. What is the basis for the nonce needing to contain at least 64- bits of entropy ** Section 8.2. Editorial. The reasons the author wishes to pursue this path in the first place are detailed in Appendix A. Should this read s/The reasons the author wishes to pursue/The reasons the WG pursued/ -- this is a consensus document. ** Section 8.5, 8.9, 8.9.1 -- Section 8.5 “A site operator SHOULD consider the privacy implications of redirecting to a non-".onion" site” -- Section 8.9 “Hidden Service operators SHOULD consider the privacy implications of this before requesting WebPKI certificates.” -- Section 8.9.1. “… for internal or non-public services, operators SHOULD consider using self-signed or privately-trusted certificates that aren't logged to certificate transparency.” What does it mean to “SHOULD consider …” a topic? This is an optional adherence (“SHOULD”) to a non-binding review (“consider”). ** Section 8.9 ACME client developers SHOULD warn users about the risks of CT logged certificates for hidden services. How would this warning be accomplished? ** Section 8.9.2 When an ACME client is registering to an ACME server it SHOULD provide minimal or obfuscated subscriber details to the CA such as a pseudonymous email address, if at all possible. What does “SHOULD … if at all possible” mean? _______________________________________________ Acme mailing list -- acme@ietf.org To unsubscribe send an email to acme-le...@ietf.org
