Automated Certificate Management Environment (ACME) Challenges Using an Authority Token
draft-ietf-acme-authority-token-09
Revision differences
Document history
Date | Rev. | By | Action |
---|---|---|---|
2023-09-07
|
09 | (System) | RFC Editor state changed to AUTH48-DONE from AUTH48 |
2023-07-25
|
09 | (System) | RFC Editor state changed to AUTH48 |
2023-07-07
|
09 | (System) | IANA Action state changed to RFC-Ed-Ack from Waiting on RFC Editor |
2023-07-07
|
09 | (System) | RFC Editor state changed to RFC-EDITOR from IANA |
2023-07-07
|
09 | (System) | IANA Action state changed to Waiting on RFC Editor from In Progress |
2023-07-07
|
09 | (System) | IANA Action state changed to In Progress from Waiting on Authors |
2023-05-09
|
09 | (System) | IANA Action state changed to Waiting on Authors from In Progress |
2023-05-08
|
09 | (System) | IANA Action state changed to In Progress from Waiting on Authors |
2023-04-28
|
09 | (System) | RFC Editor state changed to IANA from RFC-EDITOR |
2023-04-28
|
09 | (System) | RFC Editor state changed to RFC-EDITOR from REF |
2023-04-26
|
09 | (System) | RFC Editor state changed to REF from EDIT |
2023-02-21
|
09 | (System) | IANA Action state changed to Waiting on Authors from In Progress |
2023-02-16
|
09 | (System) | RFC Editor state changed to EDIT |
2023-02-16
|
09 | (System) | IESG state changed to RFC Ed Queue from Approved-announcement sent |
2023-02-16
|
09 | (System) | Announcement was received by RFC Editor |
2023-02-16
|
09 | (System) | IANA Action state changed to In Progress |
2023-02-16
|
09 | Cindy Morgan | IESG state changed to Approved-announcement sent from Approved-announcement to be sent |
2023-02-16
|
09 | Cindy Morgan | IESG has approved the document |
2023-02-16
|
09 | Cindy Morgan | Closed "Approve" ballot |
2023-02-16
|
09 | Cindy Morgan | Ballot approval text was generated |
2023-02-16
|
09 | Roman Danyliw | IESG state changed to Approved-announcement to be sent from Approved-announcement to be sent::AD Followup |
2022-11-07
|
09 | Roman Danyliw | Document state: This document is ready to progress with the information we have now. No further action is needed by the WG. Given the interrelationship … Document state: This document is ready to progress with the information we have now. No further action is needed by the WG. Given the interrelationship between this document and draft-ietf-acme-authority-token-tnauthlist, and the coordinated changes historically made between them, my intent is to progress them to the RFC Editor together. This arrangement will support the unlikely situation that any additional changes to the tnauthlist document may required updates to this document. |
2022-10-24
|
09 | (System) | Removed all action holders (IESG state changed) |
2022-10-24
|
09 | (System) | Sub state has been changed to AD Followup from Revised ID Needed |
2022-10-24
|
09 | Jon Peterson | New version available: draft-ietf-acme-authority-token-09.txt |
2022-10-24
|
09 | (System) | New version approved |
2022-10-24
|
09 | (System) | Request for posting confirmation emailed to previous authors: Chris Wendt , David Hancock , Jon Peterson , Mary Barnes |
2022-10-24
|
09 | Jon Peterson | Uploaded new revision |
2022-10-20
|
08 | Roman Danyliw | Please revise per https://mailarchive.ietf.org/arch/msg/acme/yNhZJD53eh_FPqvVmaOpbzPkh6M/ |
2022-10-20
|
08 | (System) | Changed action holders to Mary Barnes, Jon Peterson, David Hancock, Chris Wendt (IESG state changed) |
2022-10-20
|
08 | Roman Danyliw | IESG state changed to Approved-announcement to be sent::Revised I-D Needed from IESG Evaluation |
2022-08-24
|
08 | Deb Cooley | Tag AD Followup cleared. |
2022-08-24
|
08 | Deb Cooley | IETF WG state changed to In WG Last Call from Submitted to IESG for Publication |
2022-07-13
|
08 | Murray Kucherawy | [Ballot Position Update] Position for Murray Kucherawy has been changed to No Objection from Discuss |
2022-07-11
|
08 | (System) | Changed action holders to Roman Danyliw (IESG state changed) |
2022-07-11
|
08 | (System) | Sub state has been changed to AD Followup from Revised ID Needed |
2022-07-11
|
08 | (System) | IANA Review state changed to Version Changed - Review Needed from IANA OK - Actions Needed |
2022-07-11
|
08 | Jon Peterson | New version available: draft-ietf-acme-authority-token-08.txt |
2022-07-11
|
08 | Jon Peterson | New version accepted (logged-in submitter: Jon Peterson) |
2022-07-11
|
08 | Jon Peterson | Uploaded new revision |
2021-12-05
|
07 | Barry Leiba | Closed request for Last Call review by ARTART with state 'Overtaken by Events': Document has finished IESG processing |
2021-12-05
|
07 | Barry Leiba | Assignment of request for Last Call review by ARTART to Tim Bray was marked no-response |
2021-12-02
|
07 | (System) | Changed action holders to Mary Barnes, Jon Peterson, Roman Danyliw, David Hancock, Chris Wendt (IESG state changed) |
2021-12-02
|
07 | Cindy Morgan | IESG state changed to IESG Evaluation::Revised I-D Needed from IESG Evaluation |
2021-12-02
|
07 | Zaheduzzaman Sarker | [Ballot comment] Thanks for working on this document. I didn't noted transport related issues in my review. |
2021-12-02
|
07 | Zaheduzzaman Sarker | [Ballot Position Update] New position, No Objection, has been recorded for Zaheduzzaman Sarker |
2021-12-01
|
07 | Murray Kucherawy | [Ballot discuss] The examples in Section 4 make use of a function called "base64url" which is defined in RFC 4648. Do we not need … [Ballot discuss] The examples in Section 4 make use of a function called "base64url" which is defined in RFC 4648. Do we not need a normative reference to that document? There was some chatter from the ARTART reviewer (review still pending) that suggested some confusion around validating the examples, and this was part of it. |
2021-12-01
|
07 | Murray Kucherawy | [Ballot comment] I suggest that Section 7.1 should explicitly reference "the ACME Validation Methods sub-registry of the Automated Certificate Management Environment (ACME) Protocol registry group" … [Ballot comment] I suggest that Section 7.1 should explicitly reference "the ACME Validation Methods sub-registry of the Automated Certificate Management Environment (ACME) Protocol registry group" or something like that. Also, I concur with Francesca's suggestion regarding this section. |
2021-12-01
|
07 | Murray Kucherawy | [Ballot Position Update] New position, Discuss, has been recorded for Murray Kucherawy |
2021-12-01
|
07 | John Scudder | [Ballot Position Update] New position, No Objection, has been recorded for John Scudder |
2021-12-01
|
07 | Amanda Baber | IANA Review state changed to IANA OK - Actions Needed from IANA - Not OK |
2021-12-01
|
07 | Amanda Baber | Approval from both JWT and ACME experts. |
2021-12-01
|
07 | Amanda Baber | IANA Experts State changed to Expert Reviews OK from Reviews assigned |
2021-12-01
|
07 | Amanda Baber | JWT assignment approved by expert. |
2021-12-01
|
07 | Martin Vigoureux | [Ballot Position Update] New position, No Objection, has been recorded for Martin Vigoureux |
2021-11-30
|
07 | Warren Kumari | [Ballot comment] Much thanks to Ron Bonica for the OpsDir review. |
2021-11-30
|
07 | Warren Kumari | [Ballot Position Update] New position, No Objection, has been recorded for Warren Kumari |
2021-11-30
|
07 | Francesca Palombini | [Ballot comment] Thank you for the work on this document. I support Ben's DISCUSS, in particular the inconsistencies between definition and examples for the "atc" … [Ballot comment] Thank you for the work on this document. I support Ben's DISCUSS, in particular the inconsistencies between definition and examples for the "atc" claim (array vs object, "ca" defined as 4th optional field in an array), and his thoughtful COMMENTs, I found myself having the same questions about some of them, so will be looking out for your answers to those as well. Additionally, I would suggest to add a Description column to the IANA ACME Authority Token Challenge Type Registry, containing some short description of what the types defined are. Francesca |
2021-11-30
|
07 | Francesca Palombini | [Ballot Position Update] New position, No Objection, has been recorded for Francesca Palombini |
2021-11-29
|
07 | Robert Wilton | [Ballot comment] Hi, Thanks for this. I don't know much about ACME. Hence only some minor comments/suggestions. 1. Introduction It enables administrative entities to … [Ballot comment] Hi, Thanks for this. I don't know much about ACME. Hence only some minor comments/suggestions. 1. Introduction It enables administrative entities to prove effective control over resources like domain names, and automates the process of generating and issuing certificates that attest control or ownership of those resources. In some cases, proving effective control over an identifier requires an attestation from a third party who has authority over the resource, I note that you use "identifier" in the first part of the sentence and then "resource" in the second, and wanted to check that these shouldn't both be "resource". 4. Authority Token Challenge tkauth-type Registration In addition to helping to manage replay, the "jti" provides a convenient way to reliably track with the same "atc" Authority Token is being used for multiple challenges over time within its set expiry. I found this sentence hard to scan/understand. { "protected": base64url({ "typ":"JWT", "alg":"ES256", "x5u":"https://authority.example.org/cert" }), "payload": base64url({ "iss":"https://authority.example.org/authz", "exp":1300819380, "jti":"id6098364921", "atc":{"tktype":"TnAuthList","tkvalue":"F83n2a...avn27DN3==","fingerprint": "SHA256 56:3E:CF:AE:83:CA:4D:15:B0:29:FF:1B:71:D3:BA:B9:19:81:F8:50: 9B:DF:4A:D4:39:72:E2:B1:F0:B9:38:E3"} }), "signature": "9cbg5JO1Gf5YLjjz...SpkUfcdPai9uVYYQ" } The alignment of the rows of this JSON looks somewhat strange. Aligning the fields may make it more readable. 5. Acquiring a Token MUST support an HTTPS REST interface Is REST well defined enough to be an RFC 2119 MUST? Does this need a reference to what constitutes a REST interface that would be compliant with this specification? Thanks, Rob |
2021-11-29
|
07 | Robert Wilton | [Ballot Position Update] New position, No Objection, has been recorded for Robert Wilton |
2021-11-29
|
07 | Lars Eggert | [Ballot comment] This document seems to have unresolved IANA issues. In Section 7.1, you might want to include a specific "Note to the RFC Editor" … [Ballot comment] This document seems to have unresolved IANA issues. In Section 7.1, you might want to include a specific "Note to the RFC Editor" instructing them on how to handle "[RFCThis]". Thanks to Linda Dunbar for their General Area Review Team (Gen-ART) review (https://mailarchive.ietf.org/arch/msg/gen-art/aG97YZgQmi6tGHVt--QW3dV0rfY). ------------------------------------------------------------------------------- NIT ------------------------------------------------------------------------------- All comments below are about very minor potential issues that you may choose to address in some way - or ignore - as you see fit. Some were flagged by automated tools (via https://github.com/larseggert/ietf-reviewtool), so there will likely be some false positives. There is no need to let me know what you did with these suggestions. Section 1. , paragraph 3, nit: > cture for Authority Tokens, defines a the Authority Token format along with a > ^^^^^ Two determiners in a row. Choose either "a" or "the". Section 3. , paragraph 4, nit: > r a number of different namespaces; other might be specific to a particular t > ^^^^^ It seems that the plural noun "others" fits better in this context. |
2021-11-29
|
07 | Lars Eggert | [Ballot Position Update] New position, No Objection, has been recorded for Lars Eggert |
2021-11-27
|
07 | Benjamin Kaduk | [Ballot discuss] (1) Let's talk briefly about how JWT issuers are identified. Section 4 has some text: For this ACME Authority Token usage of … [Ballot discuss] (1) Let's talk briefly about how JWT issuers are identified. Section 4 has some text: For this ACME Authority Token usage of JWT, the payload of the JWT OPTIONALLY contain an "iss" indicating the Token Authority that generated the token, if the "x5u" element in the header does not already convey that information; typically, this will be the same location that appeared in the "token-authority" field of the ACME challenge. [...] While "iss" is the default way to identify a JWT issuer, the JWT BCP (RFC 8725, BCP 225) does not make a strong recommendation that it is the preferred way to do so, with the implication that other ways to identify the issuer are reasonable. However, the text here only mentions the "x5u" element as an alternative to "iss" for identifying the issuer, which does not seem to be a comprehensive depiction of the JWT ecosystem. Issuers could be identified by other X.509 related protected headers such as "x5c", or in some situations just by the key used for signing (when that key is accompanied by other configured metadata), among other things. So, I don't understand why we call out "x5u" specifically here and apparently don't allow other ways of identifying the issuer. (2) We seem to describe the contents of the "atc" JWT claim as an array in §4, but the examples show its payload as a JSON map. Which is correct? (3) I'd also like to have a (hopefully brief) discussion about the properties that we do and do not provide as relates to binding an authority token to an ACME client. In particular, in the REST API to the Token Authority, we have the client provide the fingerprint of its ACME key/identity, but the Token Authority does not do any validation on that value and is expected to just include it directly in the issued token. This means that some other entity X who is not the legitimate client but knows their key (fingerprint), and is also authorized to use a given identifier by the Token Authority, could cause a token to be issued that references the legitimate client's key. (Note that X could learn the fingerprint of the client by, e.g., being a semi-trusted CDN in front of the ACME server as considered by RFC 8555§10.1.) That token would then only be useful by the legitimate client, and so there would need to be some other vulnerability that lets X trick the client into using that token, but it still seems that we have broken the chain of custody that would let us claim that the authority token was generated "based on a request from the client" (§3.3). In particular, it seems that (with these preconditions) we might have a scenario where a client gets issued a certificate for numbers that it is not actually authorized for! This weakness does not immediately lead to an obvious vulnerability, as it requires two additional factors to be exploited -- the attacker must themselves be authorized at the Token Authority, and there needs to be some as-yet-unknown mechanism for the attacker to cause the client to use this new/different token -- but I think we at a minimum need to document the properties that we don't provide. We could choose to make the mechanism more complicated and close off this loophole by requiring proof of possession in the request to the token authority. The obvious way to do this robustly would require another round trip, though, to let the token authority provide a nonce that the proof of possession is provided over. Sometimes we can use a TLS Exporter value to save on that round-trip, but I haven't thought through very carefully what that would look like here. The request to the token authority would probably need to convey the entire public key, not just the fingerprint, so that the signature could be verified. There's another risk relating to thumbprints that is probably worth documenting -- we in effect are hardcoding a dependence on SHA256 for the fingerprints. (I'm happy to see that the wire-format of the thumbprint does identify the hash function used, so a transition mechansims should be pretty straightforward.) In light of the BCP 201 guidance for building in algorithm agility, I think we should say that we are hardcoding SHA256 and SHA256 is believed to still be quite strong (the SHA-3 contest helped solidify that position), but if a second preimage attack for SHA256 is found, an issued authority token could be used with a different ACME account key. We can also go on to say that in that event, implementations can migrate to using a different hash function for the fingerprints due to the in-band hash function identification in the fingerprint field. Such a transition would require a new RFC to actually specify the details of the new behavior, but would not be very invasive to implementations. (4) We mention almost in passing that the tkauth-01 challenge type has a new "token-authority" field that designates a location where a token can be acquired. I think we need to have some more explicit discussion of the semantics of this field and how it's populated, especially in light of how this document implies that typical usage will include "token-authority" but the companion document implies that "token-authority" will not be in common usage. We definitely need some discussion of the security considerations of having party X tell the client to go authenticate to party Y and do some thing; this type of flow is very prone to enabling phishing attacks where the client gives party Y credentials that party Y is not supposed to have. In many cases it ends up being a de facto requirement that the client is configured with a specific list of allowed values for "party Y" and must reject anything not known to be trusted. (So, in this case, that would have the client reject any token authority URLs that are not in this preconfigured allow-list.) |
2021-11-27
|
07 | Benjamin Kaduk | [Ballot comment] It's surprising to see a new JWT-using protocol that doesn't cite RFC 8725. Section 4 This draft specifies a tkauth-type of … [Ballot comment] It's surprising to see a new JWT-using protocol that doesn't cite RFC 8725. Section 4 This draft specifies a tkauth-type of "atc" which contains a standard JWT token [RFC7519] using a JWS-defined signature string [RFC7515]. The "atc" tkauth-type MAY be used for any number of different ACME identifier types in the ACME challenge. Is there an authoritative listing anywhere of exactly which identifier types it can be used with? In particular, it seems like there is a need for a bit of specification for how a given identifier type integrates with "atc" usage, and this document perhaps only covers that integration for TNAuthList and not the other defined ACME identifier types. If someone wanted to perform such an integration in the future (whether for an identifier type that already exists or some new one), and wrote a new document, how would we want to associate such a document with the "atc" registration/specification? The JWT payload MUST also contain a new JWT claim, "atc", for Authority Token Challenge, which contains three mandatory elements in an array: the ATC identifier type ("tktype"), the identifier value ("tkvalue"), and the binding ("fingerprint"). The use of "tktype" is restricted to the values in the "ACME Identifier Types" registry as defined by [RFC8555]. [...] I'm curious what went into the decision to use the name "tktype" for this field -- the "tk" prefix seems to correspond to "token" and thus indiate the generic authority token mechanism. A "tktype", then, might seem to be a type of authority token in a straightforward reading. This is in contrast with the stated meaning, the identifier type that the authority token conveys. Would, say, "tkidtype" be useful here? The "tkvalue" indicates the scope of the authority that the token, and its semantics are outside the scope of this document. [...] Do the semantics of the "tkvalue" contents need to be specified somewhere else? In the document that defines the identifier type, perhaps? Are the semantics of the identifier types already in the IANA registry specified somewhere? The identifier type and value are those given in the ACME challenge and conveyed to the Token Authority by the ACME client. This seems to presuppose that the ACME challenge exists prior to the authority token issuance, but elsewhere in the document we allow for token issuance prior to the creation of the ACME challenge. How might these fields be populated in that case? Following the example of [I-D.ietf-acme-authority-token-tnauthlist], the "tkvalue" identifier type could be the TNAuthList, with a "tkvalue" as defined in [RFC8226] that the Token Authority is attesting. [...] [This is a bit slim on what the encoded tkvalue actually is to be, but it's probably okay to defer this to the referenced document. I do have an open point on that document that we should say what ASN.1 encoding is used, though.] or individual telephone numbers. For the purposes of the "atc" tkauth-type, the binding "fingerprint" is assumed to be a fingerprint of the ACME credential for the account used to request the certificate, but the specification of how the binding is generated is left to the identifier type profile for the Authority Token. So for example: I really strongly dislike this phrasing of "is assumed to be [...] but the specification [...] is left to the identifier type profile". It seems like a recipe for confusion about what the protocol actually entails. It seems like we could probably get away with making "atc" just always use the account key fingerprint (regardless of identifier type), and if a different binding is needed, that could get a new authority token challenge type. Alternately, we could say that the profile for the identifier type MUST specify how the binding is computed, and offer the fingerprint as an example method, but say nothing about "default" or "assumed to be" -- if it's something that is unequivocally the responsibility of the profile, then it's clear where to go to find out what to put there. On the gripping hand, though, other parts of this document seem to be written on the assumption that it will always be the fingerprint. Optionally, the "atc" claim may contain a fourth element, "ca". If set to "true", the "ca" element indicates that the Token Authority is Are the 'ca' contents limited to a boolean value (and should we say so in the document)? Or is "true" the only admitted value, with the element omitted for other cases? (The text in -tnauthlist that claims to define the "atc" claim has a bit more detail on this topic.) granting permission to issue a certification authority certificate rather than an end-entity certificate for the names in question. This permits subordinate delegations from the issued certificate. If Since the ACME ecosystem already has a native delegation mechanism (RFC 9115), it might be helpful to make some statement about how this delegation mechanism (doesn't) relate to that one. Specifications of "tktype" identifier types may define additional optional "atc" elements. Since the "tktype" identifier types are allocated from a registry created by RFC 8555 (that accordingly does not mention the ability to allocate additional "atc" elements), do we want to add a note or additional reference to the registry to publicize this functionality? Alternately, perhaps we are really talking about the specification of the integration of token types with "atc" usage (a "profile", as the terminology seems to be used in the draft already), which may or may not be in the same document that specifies the new ACME identifier type. Section 5.1 The body of the POST request MUST contain the Authority Token Challenge element that the client is requesting the Token Authority generate. In the way, the client proposes the scope of the Authority Token it would like to receive from the Token Authority. To clarify: by "Authority Token Challenge element", we mean the value of the key/value pair identified by the key "atc"? So the string '"atc":' does not appear in the POST body? I might consider some more prose or an explicit example, though since this section is in some sense only providing a template for the API exposed by the Token Authority and not a full API specification, perhaps there is no need. (Peeking ahead to -tnauthlist, I see that the example there refers to "the "atc" JSON object that should be embedded in the token" and does contain '"atc":'...) Section 7.3 Is there anything to say about what topics the reference for a given allocation needs to cover? Section 8 Up in §3 we mention the need for a trust relationship between CA and token authority; is there anything more to say about that here (including, perhaps, some mention of the consequences if the trust proves to be misplaced in either direction)? Do we want to give any more guidance on how to set the expiration time for (TNAuthList or other) authority tokens? We might mention that an implementation of a Token Authority REST interface should avoid side channel leakage (e.g., for whether a given account ID exists) in its HTTP responses/response codes. When "x5u" is used to identify the issuer, the security considerations for referencing remote URLs apply; RFC 3986 does a decent job of documenting these. Issuance of CA certificates (e.g., for STIR delegation) has additional security considerations; we should probably reference the stir-delegation document here and incorporate those considerations. is the fingerprint specified in Section 4). All Authority Tokens must specify an expiry (of the token itself as proof for a CA, as opposed to the expiry of the name), and for some application, it may make sense of that expiry to be quite short. Any protocol used to Should/must the expiration time of the issued certificate be prior to the expiration time of the authority token used to authorize certificate issuance? NITS I think these are all useful changes, but there's no need to respond if you disagree -- just go ahead and ignore anything you don't like. Section 1 on the Internet. It enables administrative entities to prove effective control over resources like domain names, and automates the process of generating and issuing certificates that attest control or ownership of those resources. I'm not sure in what sense ACME really automates "generating" certificates in addition to automating "issuing" them. Perhaps one could say that it automates the process to request a certificate and that is a new contribution, but I don't think that ACME itself adds much to something that could be called "generating" a certificate. In some cases, proving effective control over an identifier requires an attestation from a third party who has authority over the resource, for example, an external policy administrator for a namespace other than the DNS application ACME was originally designed to support. In order to automate the process of issuing certificates for those resources, this specification defines a generic Authority Token challenge that ACME servers can issue in order to require clients to return such a token. [...] Pedantically, I don't think we've defined or described the authority token yet; the text leading up to this only covers the challenge. So writing "such a token" seems premature and we might rather say "return an Authority Token that authorizes a given issuance". Section 3 token could be used as a response to an ACME challenge. This specification, therefore, defines an Authority Token issued by an authority over a namespace to an ACME client for delivery to a CA in response to a challenge. Authority over a hierarchical namespace can Is it for delivery to a CA or to an ACME server? described in [I-D.ietf-acme-authority-token-tnauthlist]; in order to use "tkauth-01" Validation Method with an ACME Identifier type other than "TNAuthList," that identifier type would need to be registered separately with IANA. [...] If this would be a new registration in the "ACME Validation Methods" registry, I'd suggest "that identifier type would need to be listed in a new registration in the ACME Validation Methods registry maintained by IANA". The current text is easy to misread as saying that the identifier type itself would need to be registered, e.g., in the ACME Identifier Types registry. While that is no doubt true, it doesn't seem to be the intent of this statement. Section 3.1 While Authority Token types do not need to be specific to a namespace, every token must carry enough information for a CA to determine the name that it will issue a certificate for. Some types Maybe s/name that it will issue a certificate for/name for which certificate issuance is authorized/, since the CA could decide to not issue for some other reason. While nothing precludes use cases where an ACME client is itself a Token Authority, an ACME client will typically need a protocol to request and retrieve an Authority Token. The Token Authority will require certain information from an ACME client in order to ascertain that it is the right entity to request a certificate for a particular name. [...] Maybe s/the right entity/an authorized entity/, as there could in theory be more than one? The protocols used to request an Authority Token MUST convey to the Token Authority the identifier type and value from or what will be used in the ACME challenge, [...] I'm having a bit of trouble making "type and value from or what will be used in" into a two-branch parallel statement relating to the ACME challenge. Possibly s/what/that/ would help things fit (or maybe I'm just missing the right reading), but I'm not really sure. both "example.com" or "example.net". The advantage of the latter is that if, at a later time (but one within the expiry of the JWT), the This is the first time we mention "JWT", and we have not yet made the connection that Authority Tokens will be JWTs. Section 3.3 different purpose. To mitigate this, Authority Tokens contain a binding signed by a Token Authority; an ACME server can use the This phrasing suggests that the binding is signed indepenedently of the JWT itself, which doesn't seem to be the case; maybe something about "the signture on the Authority Token covers a binding value" instead? Section 4 claim manages token freshness. In addition to helping to manage replay, the "jti" provides a convenient way to reliably track with the same "atc" Authority Token is being used for multiple challenges over time within its set expiry. "with" in "track with" doesn't seem quite right; maybe "when"? Maybe s/expiry/lifetime/ as well, as "expiry" would typically refer to the event or time of expiration, as opposed to the entire period of validity. Following the example of [I-D.ietf-acme-authority-token-tnauthlist], the "tkvalue" identifier type could be the TNAuthList, with a Do we want to s/tkvalue/tktype/ here? The next line goes on to talk about the actual "tkvalue" contents, so it might help readability to refer to the named field that holds the type, here. "atc":{"tktype":"TnAuthList","tkvalue":"F83n2a...avn27DN3==","fingerprint": We seem to capitalize it "TNAuthList" in the actual IANA registration request in the companion document. Section 5.1 In order to request an Authority Token from a Token Authority, a client sends an HTTPS POST request. This specification assumes that Token Authority URIs are known to clients through preexisting business relationships, and that credentials and related authentication and authorization for Authority Token acquisition encompassed in that relationship. [...] There seems to be a missing word or two here, maybe "are encompassed" and "that the credentials and related [...]". POST /at/account/:id/token HTTP/1.1 Host: authority.example.com Content-Type: application/json Is ":id" intended to be a placeholder for an actual account identifier? That might be worth mentioning in the prose and/or using a little bit more markup around. (draft-ietf-acme-authority-token-tnauthlist does attempt to put some text in to that effect.) |
2021-11-27
|
07 | Benjamin Kaduk | [Ballot Position Update] New position, Discuss, has been recorded for Benjamin Kaduk |
2021-11-26
|
07 | Erik Kline | [Ballot Position Update] New position, No Objection, has been recorded for Erik Kline |
2021-11-26
|
07 | Éric Vyncke | [Ballot comment] Thank you for the work put into this document. Please find below some non-blocking COMMENT points (but replies would be appreciated even if … [Ballot comment] Thank you for the work put into this document. Please find below some non-blocking COMMENT points (but replies would be appreciated even if only for my own education), and some nits. Special thanks to Rich Salz for the shepherd's write-up about the WG consensus (and I noted the mix of STIR & ACME). I hope that this helps to improve the document, Regards, -éric I am trusting Roman and the authors, but I wonder where a replay attack protection is described ? Did the STIR/ACME WG consider the use of "ticket" rather than "token" ? -- Section 1 -- Authors may consider to remove the last paragraph has it could be read as limiting this I-D to the STIR use case (even with the leading "for example") -- Section 8 -- The first § explicitly request TLS (what about QUIC BTW) and the last § is less specific as it only requests "MUST use confidentiality". Is there any reason for this slight difference ? == NITS == -- Section 4 -- Isn't "JWT token" redundant as the "T" in "JWT" is already "token" ;-) |
2021-11-26
|
07 | Éric Vyncke | [Ballot Position Update] New position, No Objection, has been recorded for Éric Vyncke |
2021-11-19
|
07 | Martin Duke | [Ballot Position Update] New position, No Objection, has been recorded for Martin Duke |
2021-11-18
|
07 | Tero Kivinen | Request for Last Call review by SECDIR Completed: Has Issues. Reviewer: Magnus Nystrom. Submission of review completed at an earlier date. |
2021-11-16
|
07 | Cindy Morgan | Placed on agenda for telechat - 2021-12-02 |
2021-11-16
|
07 | Roman Danyliw | Ballot has been issued |
2021-11-16
|
07 | Roman Danyliw | [Ballot Position Update] New position, Yes, has been recorded for Roman Danyliw |
2021-11-16
|
07 | Roman Danyliw | Created "Approve" ballot |
2021-11-16
|
07 | Roman Danyliw | IESG state changed to IESG Evaluation from Waiting for Writeup |
2021-11-16
|
07 | Roman Danyliw | Ballot writeup was changed |
2021-11-16
|
07 | Michelle Cotton | IANA Experts State changed to Reviews assigned |
2021-11-16
|
07 | (System) | IANA Review state changed to IANA - Not OK from IANA - Review Needed |
2021-11-16
|
07 | Michelle Cotton | (Via drafts-lastcall-comment@iana.org): IESG/Authors/WG Chairs: The IANA Functions Operator has completed its review of draft-ietf-acme-authority-token-07. If any part of this review is inaccurate, please let … (Via drafts-lastcall-comment@iana.org): IESG/Authors/WG Chairs: The IANA Functions Operator has completed its review of draft-ietf-acme-authority-token-07. If any part of this review is inaccurate, please let us know. The IANA Functions Operator has a question about one of the actions requested in the IANA Considerations section of this document. The IANA Functions Operator understands that, upon approval of this document, there are three actions which we must complete. First, in the ACME Validation Methods registry on the Automated Certificate Management Environment (ACME) Protocol registry page located at: https://www.iana.org/assignments/acme/ a single, new registration will be made as follows: Label: tkauth-01 Identifier Type: TNAuthList ACME: Y Reference: [ RFC-to-be ] As this document requests registrations in an Expert Review or Specification Required (see RFC 8126) registry, we will initiate the required Expert Review via a separate request. This review must be completed before the document's IANA state can be changed to "IANA OK." Second, in the JSON Web Token Claims registry on the JSON Web Token (JWT) registry page located at: https://www.iana.org/assignments/jwt/ a single, new registration will be made as follows: Claim Name: atc Claim Description: Authority Token Challenge Change Controller: IESG reference: [ RFC-to-be ] As this also requests registrations in an Expert Review or Specification Required (see RFC 8126) registry, we will initiate the required Expert Review via a separate request. This review must be completed before the document's IANA state can be changed to "IANA OK." Third, a new registry is to be created called the ACME Authority Token Challenge Types registry. IANA Question --> Where should this new registry be located? Should it be added to an existing registry page? If it needs a new page, does it also need a new category at http://www.iana.org/protocols (and if so, should the page and the category have the same name)? The new registry will be managed via Specification Required as defined in RFC8126. There is a single, initial registration in the new registry as follows: Label Reference --------------------+------------------- atc [ RFC-to-be ] The IANA Functions Operator understands that these are the only actions required to be completed upon approval of this document. Note: The actions requested in this document will not be completed until the document has been approved for publication as an RFC. This message is meant only to confirm the list of actions that will be performed. Thank you, Michelle Cotton IANA Services |
2021-11-16
|
07 | (System) | IESG state changed to Waiting for Writeup from In Last Call |
2021-11-15
|
07 | Tero Kivinen | Request for Last Call review by SECDIR Completed: Has Issues. Reviewer: Magnus Nystrom. |
2021-11-15
|
07 | Ron Bonica | Request for Last Call review by OPSDIR Completed: Ready. Reviewer: Ron Bonica. Sent review to list. |
2021-11-03
|
07 | Linda Dunbar | Request for Last Call review by GENART Completed: Ready with Nits. Reviewer: Linda Dunbar. Sent review to list. |
2021-10-29
|
07 | Jean Mahoney | Request for Last Call review by GENART is assigned to Linda Dunbar |
2021-10-29
|
07 | Jean Mahoney | Request for Last Call review by GENART is assigned to Linda Dunbar |
2021-10-28
|
07 | Tero Kivinen | Request for Last Call review by SECDIR is assigned to Magnus Nystrom |
2021-10-28
|
07 | Tero Kivinen | Request for Last Call review by SECDIR is assigned to Magnus Nystrom |
2021-10-27
|
07 | Gunter Van de Velde | Request for Last Call review by OPSDIR is assigned to Ron Bonica |
2021-10-27
|
07 | Gunter Van de Velde | Request for Last Call review by OPSDIR is assigned to Ron Bonica |
2021-10-26
|
07 | Barry Leiba | Request for Last Call review by ARTART is assigned to Tim Bray |
2021-10-26
|
07 | Barry Leiba | Request for Last Call review by ARTART is assigned to Tim Bray |
2021-10-26
|
07 | Cindy Morgan | IANA Review state changed to IANA - Review Needed |
2021-10-26
|
07 | Cindy Morgan | The following Last Call announcement was sent out (ends 2021-11-16): From: The IESG To: IETF-Announce CC: Rich Salz , acme-chairs@ietf.org, acme@ietf.org, draft-ietf-acme-authority-token@ietf.org, … The following Last Call announcement was sent out (ends 2021-11-16): From: The IESG To: IETF-Announce CC: Rich Salz , acme-chairs@ietf.org, acme@ietf.org, draft-ietf-acme-authority-token@ietf.org, rdd@cert.org, rsalz@akamai.com Reply-To: last-call@ietf.org Sender: Subject: Last Call: (ACME Challenges Using an Authority Token) to Proposed Standard The IESG has received a request from the Automated Certificate Management Environment WG (acme) to consider the following document: - 'ACME Challenges Using an Authority Token' as Proposed Standard The IESG plans to make a decision in the next few weeks, and solicits final comments on this action. Please send substantive comments to the last-call@ietf.org mailing lists by 2021-11-16. Exceptionally, comments may be sent to iesg@ietf.org instead. In either case, please retain the beginning of the Subject line to allow automated sorting. Abstract Some proposed extensions to the Automated Certificate Management Environment (ACME) rely on proving eligibility for certificates through consulting an external authority that issues a token according to a particular policy. This document specifies a generic Authority Token challenge for ACME which supports subtype claims for different identifiers or namespaces that can be defined separately for specific applications. The file can be obtained via https://datatracker.ietf.org/doc/draft-ietf-acme-authority-token/ No IPR declarations have been submitted directly on this I-D. |
2021-10-26
|
07 | Cindy Morgan | IESG state changed to In Last Call from Last Call Requested |
2021-10-26
|
07 | Cindy Morgan | Last call announcement was changed |
2021-10-26
|
07 | Roman Danyliw | Last call was requested |
2021-10-26
|
07 | Roman Danyliw | Last call announcement was generated |
2021-10-26
|
07 | Roman Danyliw | Ballot approval text was generated |
2021-10-26
|
07 | Roman Danyliw | Ballot writeup was generated |
2021-10-26
|
07 | (System) | Changed action holders to Roman Danyliw (IESG state changed) |
2021-10-26
|
07 | Roman Danyliw | IESG state changed to Last Call Requested from AD Evaluation::AD Followup |
2021-10-25
|
07 | (System) | Removed all action holders (IESG state changed) |
2021-10-25
|
07 | (System) | Sub state has been changed to AD Followup from Revised ID Needed |
2021-10-25
|
07 | Jon Peterson | New version available: draft-ietf-acme-authority-token-07.txt |
2021-10-25
|
07 | (System) | New version approved |
2021-10-25
|
07 | (System) | Request for posting confirmation emailed to previous authors: Chris Wendt , David Hancock , Jon Peterson , Mary Barnes |
2021-10-25
|
07 | Jon Peterson | Uploaded new revision |
2021-07-27
|
06 | Roman Danyliw | Revised AD Review: https://mailarchive.ietf.org/arch/msg/acme/a1hupzPvjZVTCmGIlbNBRdulVls/ |
2021-07-27
|
06 | (System) | Changed action holders to Mary Barnes, Jon Peterson, David Hancock, Chris Wendt (IESG state changed) |
2021-07-27
|
06 | Roman Danyliw | IESG state changed to AD Evaluation::Revised I-D Needed from AD Evaluation::AD Followup |
2021-07-12
|
06 | (System) | Sub state has been changed to AD Followup from Revised ID Needed |
2021-07-12
|
06 | Jon Peterson | New version available: draft-ietf-acme-authority-token-06.txt |
2021-07-12
|
06 | (System) | New version approved |
2021-07-12
|
06 | (System) | Request for posting confirmation emailed to previous authors: Chris Wendt , David Hancock , Jon Peterson , Mary Barnes |
2021-07-12
|
06 | Jon Peterson | Uploaded new revision |
2021-07-09
|
05 | Roman Danyliw | Third check-in on response to AD Review: https://mailarchive.ietf.org/arch/msg/acme/aYX5gdfwILJliU9v_UeCIkXexRY/ |
2021-05-12
|
05 | Roman Danyliw | Second WG check-in on document progress: https://mailarchive.ietf.org/arch/msg/acme/w9nmt2y9BxF3js0LMnhMa_uVqLA/ |
2021-04-15
|
05 | Roman Danyliw | Status check to WG mailing list: https://mailarchive.ietf.org/arch/msg/acme/YgKHOq-UjJeutKcDJyc2KMKioLc/ |
2020-10-14
|
05 | Roman Danyliw | IESG state changed to AD Evaluation::Revised I-D Needed from Publication Requested |
2020-10-14
|
05 | Roman Danyliw | AD Review: https://mailarchive.ietf.org/arch/msg/acme/UOFqfi5B7XktdYf3kI7iTNBR27Q/ |
2020-08-13
|
05 | Rich Salz | As required by RFC 4858, this is the current template for the Document Shepherd Write-Up. Changes are expected over time. This version is dated … As required by RFC 4858, this is the current template for the Document Shepherd Write-Up. Changes are expected over time. This version is dated 1 November 2019. (1) What type of RFC is being requested (BCP, Proposed Standard, Internet Standard, Informational, Experimental, or Historic)? Why is this the proper type of RFC? Is this type of RFC indicated in the title page header? This is a proposed standard. The title does not say that. (2) The IESG approval announcement includes a Document Announcement Write-Up. Please provide such a Document Announcement Write-Up. Recent examples can be found in the "Action" announcements for approved documents. The approval announcement contains the following sections: Technical Summary: Some proposed extensions to the Automated Certificate Management Environment (ACME) rely on proving eligibility for certificates through consulting an external authority that issues a token according to a particular policy. This document specifies a generic Authority Token challenge for ACME which supports subtype claims for different identifiers or namespaces that can be defined separately for specific applications. Working Group Summary: This work was done primarily be members of the STIR WG, working in ACME but coordinating with STIR. Document Quality: There are vendors, in STIR, who intend to implement this as the base document for TNAuthList (q.v.) Who is the Document Shepherd? Who is the Responsible Area Director? Rich Salz is the shepherd; Roman Danyliw is the AD (3) Briefly describe the review of this document that was performed by the Document Shepherd. If this version of the document is not ready for publication, please explain why the document is being forwarded to the IESG. I reviewed the document, and previous drafts. I am not an expert on STIR (I nominally follow that WG email). I encouraged the start of this work. (4) Does the document Shepherd have any concerns about the depth or breadth of the reviews that have been performed? No. I believe STIR has done the proper reviews and industry adoption. (5) Do portions of the document need review from a particular or from broader perspective, e.g., security, operational complexity, AAA, DNS, DHCP, XML, or internationalization? If so, describe the review that took place. No. (6) Describe any specific concerns or issues that the Document Shepherd has with this document that the Responsible Area Director and/or the IESG should be aware of? For example, perhaps he or she is uncomfortable with certain parts of the document, or has concerns whether there really is a need for it. In any event, if the WG has discussed those issues and has indicated that it still wishes to advance the document, detail those concerns here. No. (7) Has each author confirmed that any and all appropriate IPR disclosures required for full conformance with the provisions of BCP 78 and BCP 79 have already been filed. If not, explain why? Yes, in email to me. (8) Has an IPR disclosure been filed that references this document? If so, summarize any WG discussion and conclusion regarding the IPR disclosures. n/a (9) How solid is the WG consensus behind this document? Does it represent the strong concurrence of a few individuals, with others being silent, or does the WG as a whole understand and agree with it? The WG is fine with the document, although most people (while they applaud the effort) did not express an opinion. (10) Has anyone threatened an appeal or otherwise indicated extreme discontent? If so, please summarise the areas of conflict in separate email messages to the Responsible Area Director. (It should be in a separate email because this questionnaire is publicly available.) No. (11) Identify any ID nits the Document Shepherd has found in this document. (See http://www.ietf.org/tools/idnits/ and the Internet-Drafts Checklist). Boilerplate checks are not enough; this check needs to be thorough. One self-referential error, == Missing Reference: 'RFCThis' is mentioned on line 425, but not defined (12) Describe how the document meets any required formal review criteria, such as the MIB Doctor, YANG Doctor, media type, and URI type reviews. n/a (13) Have all references within this document been identified as either normative or informative? Yes. (14) Are there normative references to documents that are not ready for advancement or are otherwise in an unclear state? If such normative references exist, what is the plan for their completion? No. draft-ietf-acme-authority-tnauthlist depends on this; the two should be processed together. (15) Are there downward normative references references (see RFC 3967)? If so, list these downward references to support the Area Director in the Last Call procedure. No. (16) Will publication of this document change the status of any existing RFCs? Are those RFCs listed on the title page header, listed in the abstract, and discussed in the introduction? If the RFCs are not listed in the Abstract and Introduction, explain why, and point to the part of the document where the relationship of this document to the other RFCs is discussed. If this information is not in the document, explain why the WG considers it unnecessary. No. (17) Describe the Document Shepherd's review of the IANA considerations section, especially with regard to its consistency with the body of the document. Confirm that all protocol extensions that the document makes are associated with the appropriate reservations in IANA registries. Confirm that any referenced IANA registries have been clearly identified. Confirm that newly created IANA registries include a detailed specification of the initial contents for the registry, that allocations procedures for future registrations are defined, and a reasonable name for the new registry has been suggested (see RFC 8126). I believe Section 8 of the draft clearly documents the IANA requests. This document defines a new ACME identifier, atc, and a new IANA registry for naming token types within the atc "class." It does not define the qualifications for that registry, presumably it inherits the type of other ACME registries. (18) List any new IANA registries that require Expert Review for future allocations. Provide any public guidance that the IESG would find useful in selecting the IANA Experts for these new registries. n/a (19) Describe reviews and automated checks performed by the Document Shepherd to validate sections of the document written in a formal language, such as XML code, BNF rules, MIB definitions, YANG modules, etc. n/a (20) If the document contains a YANG module, has the module been checked with any of the recommended validation tools (https://trac.ietf.org/trac/ops/wiki/yang-review-tools) for syntax and formatting validation? If there are any resulting errors or warnings, what is the justification for not fixing them at this time? Does the YANG module comply with the Network Management Datastore Architecture (NMDA) as specified in RFC8342? n/a |
2020-08-13
|
05 | Rich Salz | Responsible AD changed to Roman Danyliw |
2020-08-13
|
05 | Rich Salz | IETF WG state changed to Submitted to IESG for Publication from WG Document |
2020-08-13
|
05 | Rich Salz | IESG state changed to Publication Requested from I-D Exists |
2020-08-13
|
05 | Rich Salz | IESG process started in state Publication Requested |
2020-08-13
|
05 | Rich Salz | As required by RFC 4858, this is the current template for the Document Shepherd Write-Up. Changes are expected over time. This version is dated … As required by RFC 4858, this is the current template for the Document Shepherd Write-Up. Changes are expected over time. This version is dated 1 November 2019. (1) What type of RFC is being requested (BCP, Proposed Standard, Internet Standard, Informational, Experimental, or Historic)? Why is this the proper type of RFC? Is this type of RFC indicated in the title page header? This is a proposed standard. The title does not say that. (2) The IESG approval announcement includes a Document Announcement Write-Up. Please provide such a Document Announcement Write-Up. Recent examples can be found in the "Action" announcements for approved documents. The approval announcement contains the following sections: Technical Summary: Some proposed extensions to the Automated Certificate Management Environment (ACME) rely on proving eligibility for certificates through consulting an external authority that issues a token according to a particular policy. This document specifies a generic Authority Token challenge for ACME which supports subtype claims for different identifiers or namespaces that can be defined separately for specific applications. Working Group Summary: This work was done primarily be members of the STIR WG, working in ACME but coordinating with STIR. Document Quality: There are vendors, in STIR, who intend to implement this as the base document for TNAuthList (q.v.) Who is the Document Shepherd? Who is the Responsible Area Director? Rich Salz is the shepherd; Roman Danyliw is the AD (3) Briefly describe the review of this document that was performed by the Document Shepherd. If this version of the document is not ready for publication, please explain why the document is being forwarded to the IESG. I reviewed the document, and previous drafts. I am not an expert on STIR (I nominally follow that WG email). I encouraged the start of this work. (4) Does the document Shepherd have any concerns about the depth or breadth of the reviews that have been performed? No. I believe STIR has done the proper reviews and industry adoption. (5) Do portions of the document need review from a particular or from broader perspective, e.g., security, operational complexity, AAA, DNS, DHCP, XML, or internationalization? If so, describe the review that took place. No. (6) Describe any specific concerns or issues that the Document Shepherd has with this document that the Responsible Area Director and/or the IESG should be aware of? For example, perhaps he or she is uncomfortable with certain parts of the document, or has concerns whether there really is a need for it. In any event, if the WG has discussed those issues and has indicated that it still wishes to advance the document, detail those concerns here. No. (7) Has each author confirmed that any and all appropriate IPR disclosures required for full conformance with the provisions of BCP 78 and BCP 79 have already been filed. If not, explain why? Yes, in email to me. (8) Has an IPR disclosure been filed that references this document? If so, summarize any WG discussion and conclusion regarding the IPR disclosures. n/a (9) How solid is the WG consensus behind this document? Does it represent the strong concurrence of a few individuals, with others being silent, or does the WG as a whole understand and agree with it? The WG is fine with the document, although most people (while they applaud the effort) did not express an opinion. (10) Has anyone threatened an appeal or otherwise indicated extreme discontent? If so, please summarise the areas of conflict in separate email messages to the Responsible Area Director. (It should be in a separate email because this questionnaire is publicly available.) No. (11) Identify any ID nits the Document Shepherd has found in this document. (See http://www.ietf.org/tools/idnits/ and the Internet-Drafts Checklist). Boilerplate checks are not enough; this check needs to be thorough. One self-referential error, == Missing Reference: 'RFCThis' is mentioned on line 425, but not defined (12) Describe how the document meets any required formal review criteria, such as the MIB Doctor, YANG Doctor, media type, and URI type reviews. n/a (13) Have all references within this document been identified as either normative or informative? Yes. (14) Are there normative references to documents that are not ready for advancement or are otherwise in an unclear state? If such normative references exist, what is the plan for their completion? No. draft-ietf-acme-authority-tnauthlist depends on this; the two should be processed together. (15) Are there downward normative references references (see RFC 3967)? If so, list these downward references to support the Area Director in the Last Call procedure. No. (16) Will publication of this document change the status of any existing RFCs? Are those RFCs listed on the title page header, listed in the abstract, and discussed in the introduction? If the RFCs are not listed in the Abstract and Introduction, explain why, and point to the part of the document where the relationship of this document to the other RFCs is discussed. If this information is not in the document, explain why the WG considers it unnecessary. No. (17) Describe the Document Shepherd's review of the IANA considerations section, especially with regard to its consistency with the body of the document. Confirm that all protocol extensions that the document makes are associated with the appropriate reservations in IANA registries. Confirm that any referenced IANA registries have been clearly identified. Confirm that newly created IANA registries include a detailed specification of the initial contents for the registry, that allocations procedures for future registrations are defined, and a reasonable name for the new registry has been suggested (see RFC 8126). I believe Section 8 of the draft clearly documents the IANA requests. This document defines a new ACME identifier, atc, and a new IANA registry for naming token types within the atc "class." It does not define the qualifications for that registry, presumably it inherits the type of other ACME registries. (18) List any new IANA registries that require Expert Review for future allocations. Provide any public guidance that the IESG would find useful in selecting the IANA Experts for these new registries. n/a (19) Describe reviews and automated checks performed by the Document Shepherd to validate sections of the document written in a formal language, such as XML code, BNF rules, MIB definitions, YANG modules, etc. n/a (20) If the document contains a YANG module, has the module been checked with any of the recommended validation tools (https://trac.ietf.org/trac/ops/wiki/yang-review-tools) for syntax and formatting validation? If there are any resulting errors or warnings, what is the justification for not fixing them at this time? Does the YANG module comply with the Network Management Datastore Architecture (NMDA) as specified in RFC8342? n/a |
2020-06-12
|
05 | Rich Salz | Changed consensus to Yes from Unknown |
2020-06-12
|
05 | Rich Salz | Intended Status changed to Proposed Standard from None |
2020-06-12
|
05 | Rich Salz | Notification list changed to Rich Salz <rsalz@akamai.com> |
2020-06-12
|
05 | Rich Salz | Document shepherd changed to Rich Salz |
2020-03-09
|
05 | Jon Peterson | New version available: draft-ietf-acme-authority-token-05.txt |
2020-03-09
|
05 | (System) | New version approved |
2020-03-09
|
05 | (System) | Request for posting confirmation emailed to previous authors: Jon Peterson , Chris Wendt , David Hancock , Mary Barnes |
2020-03-09
|
05 | Jon Peterson | Uploaded new revision |
2019-11-04
|
04 | Jon Peterson | New version available: draft-ietf-acme-authority-token-04.txt |
2019-11-04
|
04 | (System) | New version approved |
2019-11-04
|
04 | (System) | Request for posting confirmation emailed to previous authors: Chris Wendt , Mary Barnes , David Hancock , Jon Peterson |
2019-11-04
|
04 | Jon Peterson | Uploaded new revision |
2019-09-26
|
03 | (System) | Document has expired |
2019-03-25
|
03 | Jon Peterson | New version available: draft-ietf-acme-authority-token-03.txt |
2019-03-25
|
03 | (System) | New version approved |
2019-03-25
|
03 | (System) | Request for posting confirmation emailed to previous authors: Chris Wendt , Mary Barnes , David Hancock , Jon Peterson |
2019-03-25
|
03 | Jon Peterson | Uploaded new revision |
2019-03-11
|
02 | Jon Peterson | New version available: draft-ietf-acme-authority-token-02.txt |
2019-03-11
|
02 | (System) | New version approved |
2019-03-11
|
02 | (System) | Request for posting confirmation emailed to previous authors: Chris Wendt , Mary Barnes , David Hancock , Jon Peterson |
2019-03-11
|
02 | Jon Peterson | Uploaded new revision |
2018-10-22
|
01 | Jon Peterson | New version available: draft-ietf-acme-authority-token-01.txt |
2018-10-22
|
01 | (System) | New version approved |
2018-10-22
|
01 | (System) | Request for posting confirmation emailed to previous authors: Chris Wendt , Mary Barnes , David Hancock , Jon Peterson |
2018-10-22
|
01 | Jon Peterson | Uploaded new revision |
2018-07-03
|
00 | Jon Peterson | New version available: draft-ietf-acme-authority-token-00.txt |
2018-07-03
|
00 | (System) | WG -00 approved |
2018-07-02
|
00 | Jon Peterson | Set submitter to "Jon Peterson ", replaces to (none) and sent approval email to group chairs: acme-chairs@ietf.org |
2018-07-02
|
00 | Jon Peterson | Uploaded new revision |