Thank you Q, The change fully addresses my previous DISCUSS, I am clearing my ballot in a No Objection ballot.
Regards -éric From: Q Misell <q=40as207960....@dmarc.ietf.org> Date: Wednesday, 15 January 2025 at 09:08 To: Eric Vyncke (evyncke) <evyn...@cisco.com> Cc: Q Misell <q=40as207960....@dmarc.ietf.org>, Tomofumi Okubo <tomofumi.ok...@gmail.com>, The IESG <i...@ietf.org>, draft-ietf-acme-on...@ietf.org <draft-ietf-acme-on...@ietf.org>, acme-cha...@ietf.org <acme-cha...@ietf.org>, acme@ietf.org <acme@ietf.org>, tomofumi.okubo+i...@gmail.com <tomofumi.okubo+i...@gmail.com> Subject: Re: Éric Vyncke's Discuss on draft-ietf-acme-onion-05: (with DISCUSS and COMMENT) Your wish is my command, I have just pushed -07 with that change. ________________________________ Any statements contained in this email are personal to the author and are not necessarily the statements of the company unless specifically stated. AS207960 Cyfyngedig, having a registered office at 13 Pen-y-lan Terrace, Caerdydd, Cymru, CF23 9EU, trading as Glauca Digital, is a company registered in Wales under № 12417574<https://find-and-update.company-information.service.gov.uk/company/12417574>, LEI 875500FXNCJPAPF3PD10. ICO register №: ZA782876<https://ico.org.uk/ESDWebPages/Entry/ZA782876>. UK VAT №: GB378323867. EU VAT №: EU372013983. Turkish VAT №: 0861333524. South Korean VAT №: 522-80-03080. AS207960 Ewrop OÜ, having a registered office at Lääne-Viru maakond, Tapa vald, Porkuni küla, Lossi tn 1, 46001, trading as Glauca Digital, is a company registered in Estonia under № 16755226. Estonian VAT №: EE102625532. Glauca Digital and the Glauca logo are registered trademarks in the UK, under № UK00003718474 and № UK00003718468, respectively. Ar Maw, 14 Ion 2025 am 18:37 Eric Vyncke (evyncke) <evyn...@cisco.com<mailto:evyn...@cisco.com>> ysgrifennodd: Q, this would be perfect. As soon as the revised -07 is submitted with such a text, I am clearing my DISCUSS. Please note that I will be away from my keyboard for 2 weeks in 2 days 😲 Regards -éric From: Q Misell <q...@as207960.net<mailto:q...@as207960.net>> Date: Tuesday, 14 January 2025 at 17:25 To: Eric Vyncke (evyncke) <evyn...@cisco.com<mailto:evyn...@cisco.com>> Cc: Q Misell <q=40as207960....@dmarc.ietf.org<mailto:40as207960....@dmarc.ietf.org>>, Tomofumi Okubo <tomofumi.ok...@gmail.com<mailto:tomofumi.ok...@gmail.com>>, The IESG <i...@ietf.org<mailto:i...@ietf.org>>, draft-ietf-acme-on...@ietf.org<mailto:draft-ietf-acme-on...@ietf.org> <draft-ietf-acme-on...@ietf.org<mailto:draft-ietf-acme-on...@ietf.org>>, acme-cha...@ietf.org<mailto:acme-cha...@ietf.org> <acme-cha...@ietf.org<mailto:acme-cha...@ietf.org>>, acme@ietf.org<mailto:acme@ietf.org> <acme@ietf.org<mailto:acme@ietf.org>>, tomofumi.okubo+i...@gmail.com<mailto:tomofumi.okubo%2bi...@gmail.com> <tomofumi.okubo+i...@gmail.com<mailto:tomofumi.okubo%2bi...@gmail.com>> Subject: Re: Éric Vyncke's Discuss on draft-ietf-acme-onion-05: (with DISCUSS and COMMENT) Indeed, I did not understand - thanks for clarifying. I will make an appropriate amendment to make it clear that "onion-csr-01" is only for use in the context of .onion domains. ________________________________ Any statements contained in this email are personal to the author and are not necessarily the statements of the company unless specifically stated. AS207960 Cyfyngedig, having a registered office at 13 Pen-y-lan Terrace, Caerdydd, Cymru, CF23 9EU, trading as Glauca Digital, is a company registered in Wales under № 12417574<https://find-and-update.company-information.service.gov.uk/company/12417574>, LEI 875500FXNCJPAPF3PD10. ICO register №: ZA782876<https://ico.org.uk/ESDWebPages/Entry/ZA782876>. UK VAT №: GB378323867. EU VAT №: EU372013983. Turkish VAT №: 0861333524. South Korean VAT №: 522-80-03080. AS207960 Ewrop OÜ, having a registered office at Lääne-Viru maakond, Tapa vald, Porkuni küla, Lossi tn 1, 46001, trading as Glauca Digital, is a company registered in Estonia under № 16755226. Estonian VAT №: EE102625532. Glauca Digital and the Glauca logo are registered trademarks in the UK, under № UK00003718474 and № UK00003718468, respectively. Ar Maw, 14 Ion 2025 am 15:47 Eric Vyncke (evyncke) <evyn...@cisco.com<mailto:evyn...@cisco.com>> ysgrifennodd: Hello Q, Thanks for your reply and the updated version, which addresses all my non-blocking COMMENT. It seems that I was not clear in my DISCUSS point though, sorry about that. The DISCUSS is based on the text below that I find ambiguous whether “onion-csr-01” challenge can be used also for non “.onion” FQDN, and by ‘can be used’ I do not only mean technically but also whether the ACME WG has agreed on this extended non .onion use and whether it fits the ACME charter. All in all, adding a sentence like “This “onion-csr-01” challenge MAY (or MUST NOT) be used for non “.onion” Special-Use Domain Names.” Will clear the ambiguity and I will clear my DISCUSS ballot. ``` Two methods already defined in ACME and allowed by the CA/BF ("http-01" and "tls-alpn-01") do not allow issuance of wildcard certificates. A ".onion" Special-Use Domain Name can have subdomains (just like any other domain in the DNS), and a site operator may find it useful to have one certificate for all virtual hosts on their site. ``` Regards -éric From: Q Misell <q=40as207960....@dmarc.ietf.org<mailto:40as207960....@dmarc.ietf.org>> Date: Monday, 13 January 2025 at 10:57 To: Eric Vyncke (evyncke) <evyn...@cisco.com<mailto:evyn...@cisco.com>> Cc: Tomofumi Okubo <tomofumi.ok...@gmail.com<mailto:tomofumi.ok...@gmail.com>>, The IESG <i...@ietf.org<mailto:i...@ietf.org>>, draft-ietf-acme-on...@ietf.org<mailto:draft-ietf-acme-on...@ietf.org> <draft-ietf-acme-on...@ietf.org<mailto:draft-ietf-acme-on...@ietf.org>>, acme-cha...@ietf.org<mailto:acme-cha...@ietf.org> <acme-cha...@ietf.org<mailto:acme-cha...@ietf.org>>, acme@ietf.org<mailto:acme@ietf.org> <acme@ietf.org<mailto:acme@ietf.org>>, tomofumi.okubo+i...@gmail.com<mailto:tomofumi.okubo%2bi...@gmail.com> <tomofumi.okubo+i...@gmail.com<mailto:tomofumi.okubo%2bi...@gmail.com>> Subject: Re: Éric Vyncke's Discuss on draft-ietf-acme-onion-05: (with DISCUSS and COMMENT) Hi Eric, > May the onion-csr-01 challenge be used over the plain global Internet? As it > allows for wildcard certificates and plain ACME does not, it would seem > necessary to specify whether it is supported or forbidden. I do not quite follow what you mean here. This document defines extensions to ACME, and ACME may be carried over the plain Internet or over Tor. "onion-csr-01" only makes sense in the context of requesting certificates for .onion domains, however the medium over which these are requests are made is of no concern to ACME. > s/These use the ".onion"/These services use the ".onion"/ (I had to re-read > the whole sentence 3 times to understand it) Will incorporate. > As 3.1.1 uses 'MUST NOT', suggest to s/can be used/MAY be used/ Agreed, will incorporate. > What is the basis for selecting 30 days? I would assume that the ACME > challenge/response is done within minutes if not seconds. Or is this > challenge/response assumed to be executed multiple times? This is copied from the CA/BF BRs, I will add a reference to them. It may be that some manual work is involved in accessing an offline identity key on a HSM or some air-gapped machine, hence the long time. > Only supporting Ed25519 seems to lack agility or am I missing something? Tor only supports Ed25519. > It is also unclear to me whether authKey is the client public key (probably) > or the server public key. Please add clarifying text. Will do. > Is authKey the same field as in section 3.2? I will add a cross reference between section 3.2 and section 4. > To avoid any ambiguity, please add a reference to the registry by its URI Will do. Q ________________________________ Any statements contained in this email are personal to the author and are not necessarily the statements of the company unless specifically stated. AS207960 Cyfyngedig, having a registered office at 13 Pen-y-lan Terrace, Caerdydd, Cymru, CF23 9EU, trading as Glauca Digital, is a company registered in Wales under № 12417574<https://find-and-update.company-information.service.gov.uk/company/12417574>, LEI 875500FXNCJPAPF3PD10. ICO register №: ZA782876<https://ico.org.uk/ESDWebPages/Entry/ZA782876>. UK VAT №: GB378323867. EU VAT №: EU372013983. Turkish VAT №: 0861333524. South Korean VAT №: 522-80-03080. AS207960 Ewrop OÜ, having a registered office at Lääne-Viru maakond, Tapa vald, Porkuni küla, Lossi tn 1, 46001, trading as Glauca Digital, is a company registered in Estonia under № 16755226. Estonian VAT №: EE102625532. Glauca Digital and the Glauca logo are registered trademarks in the UK, under № UK00003718474 and № UK00003718468, respectively. Ar Iau, 9 Ion 2025 am 12:58 Eric Vyncke (evyncke) <evyn...@cisco.com<mailto:evyn...@cisco.com>> ysgrifennodd: Hello Tomofumi, Thanks for your reply and for the shepherd’s write-up update: it makes sense indeed to set the intended status to PS. Regards -éric From: Tomofumi Okubo <tomofumi.ok...@gmail.com<mailto:tomofumi.ok...@gmail.com>> Date: Wednesday, 8 January 2025 at 20:01 To: Eric Vyncke (evyncke) <evyn...@cisco.com<mailto:evyn...@cisco.com>> Cc: The IESG <i...@ietf.org<mailto:i...@ietf.org>>, draft-ietf-acme-on...@ietf.org<mailto:draft-ietf-acme-on...@ietf.org> <draft-ietf-acme-on...@ietf.org<mailto:draft-ietf-acme-on...@ietf.org>>, acme-cha...@ietf.org<mailto:acme-cha...@ietf.org> <acme-cha...@ietf.org<mailto:acme-cha...@ietf.org>>, acme@ietf.org<mailto:acme@ietf.org> <acme@ietf.org<mailto:acme@ietf.org>>, tomofumi.okubo+i...@gmail.com<mailto:tomofumi.okubo%2bi...@gmail.com> <tomofumi.okubo+i...@gmail.com<mailto:tomofumi.okubo%2bi...@gmail.com>> Subject: Re: Éric Vyncke's Discuss on draft-ietf-acme-onion-05: (with DISCUSS and COMMENT) Hello Éric, My apologies for the delayed response. Thank you very much for the review and comments. Onion is an extension to RFC8555 which is standards track and already has some implementations as well. Therefore, I do believe that the proposed standard would be the suitable status for this draft. I have also updated the shepherd's write-up accordingly. Thanks again! Tomofumi On Thu, Jan 2, 2025 at 8:33 PM Éric Vyncke via Datatracker <nore...@ietf.org<mailto:nore...@ietf.org>> wrote: Éric Vyncke has entered the following ballot position for draft-ietf-acme-onion-05: Discuss When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ for more information about how to handle DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-acme-onion/ ---------------------------------------------------------------------- DISCUSS: ---------------------------------------------------------------------- # Éric Vyncke, INT AD, comments for draft-ietf-acme-onion-05 CC @evyncke Thank you for the work put into this document. Please find below one blocking DISCUSS points (easy to address, i.e., I simply want to check this point), some non-blocking COMMENT points (but replies would be appreciated even if only for my own education), and some nits. Special thanks to Tomofumi Okubo for the shepherd's detailed write-up including the WG consensus *but it lacks* the justification of the intended status. You may also expect a DNS directorate review as it has been requested. I hope that this review helps to improve the document, Regards, -éric ## DISCUSS (blocking) As noted in https://www.ietf.org/blog/handling-iesg-ballot-positions/, a DISCUSS ballot is just a request to have a discussion on the following topics: ### onion-csr-01 and global Internet ACME It is easy to clear this DISCUSS by replying to the next paragraph. May the onion-csr-01 challenge be used over the plain global Internet ? As it allows for wildcard certificates and plain ACME does not, it would seem necessary to specify whether it is supported or forbidden. ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- ## COMMENTS (non-blocking) ### Section 1 s/These use the ".onion"/These services use the ".onion"/ (I had to re-read the whole sentence 3 times to understand it) ### Sections 3.1.2 and 3.1.3 As 3.1.1 uses 'MUST NOT', suggest to s/can be used/MAY be used/ ### Section 3.2 What is the basis for selecting 30 days? I would assume that the ACME challenge/response is done within minutes if not seconds. Or is this challenge/response assumed to be executed multiple times ? Only supporting Ed25519 seems to lack agility or am I missing something ? It is also unclear to me whether authKey is the client public key (probably) or the server public key. Please add clarifying text. Some explanations could be given on when to use this field. ### Section 4 Is authKey the same field as in section 3.2 ? This would explain this field role but is confusing to the reader. Suggest adding something like "this field is specified in section 4' when introducing this field in section 3.2. ### Section 7.1 To avoid any ambiguity, please add a reference to the registry by its URI https://www.iana.org/assignments/acme/acme.xhtml#acme-validation-methods The legend of table 1 should probably use singular and not plural.
_______________________________________________ Acme mailing list -- acme@ietf.org To unsubscribe send an email to acme-le...@ietf.org
