Extensions to Automatic Certificate Management Environment for End-User S/MIME Certificates
draft-ietf-acme-email-smime-14
Yes
Roman Danyliw
No Objection
(Alvaro Retana)
(Deborah Brungard)
(Martin Duke)
(Robert Wilton)
Note: This ballot was opened for revision 10 and is now closed.
Roman Danyliw
Yes
Erik Kline
No Objection
Comment
(2020-11-03 for -10)
Sent
[ section 2 ] * Use the 8174 text? [ section 6 ] * I think it's fair to all-caps RECOMMENDED the use of DNSSEC.
Murray Kucherawy
No Objection
Comment
(2020-11-04 for -10)
Sent
I support Barry's DISCUSS, especially the bit that references DMARC. You might mention in Security Considerations that the DKIM and DMARC RFCs discuss their dependence on the DNS as well, and their respective vulnerabilities. It seems to me that the second paragraph of Security Considerations says approximately the same thing that the (1) bullet does in the same section.
Éric Vyncke
No Objection
Comment
(2020-11-05 for -10)
Not sent
Thank you for the work put behind this document, it could indeed be really useful. My only comment is support to Barry's point about the intended status of the document. Regards -éric
Benjamin Kaduk Former IESG member
(was Discuss)
Yes
Yes
(2021-01-13 for -13)
Sent
Thanks for the updates to get to the -13; they look really good.
The new text did inspire one further comment, though I don't see a
particular text change that might result, plus I spotted a few editorial nits.
Section 1
1. A Mail User Agent (MUA) which has built in ACME client aware of
the extension described in this document. (We will call such
ACME clients "ACME-email-aware") Such MUA can present nice User
Interface to the user and automate certificate issuance.
(nit?) In the parenthetical, are we calling the ACME clients or the MUA
"ACME-email-aware"? Also, full stop for the end of the sentence.
Section 3
(nit?) In step 8, the MUST-level requirement in the last sentence probably
promotes it into not being a parenthetical.
Section 3.1
If S/MIME signing is used, the certificate corresponding to
the signer MUST have rfc822Name subjectAltName extension with
the value equal to the From header field email address of the
"challenge" email.
A strict equality requirement might make it operationally challenging to
use a unique "from" challenge for each request. I don't see any
feasible alternative, though, as getting into + suffixes in the local
part seems like a non-starter for this document.
Also, nit: s/subjectAltName extension/a subjectAltName extension/
Alvaro Retana Former IESG member
No Objection
No Objection
(for -10)
Not sent
Barry Leiba Former IESG member
(was Discuss)
No Objection
No Objection
(2020-11-18 for -12)
Sent
Thanks for discussing things with me and addressing my comments. Version -12 takes care of all my comments except for the one in Section 2: Please use the new BCP 14 boilerplate and add a normative reference to RFC 8174. The changes from version -10 do introduce a few typos and nits, so I'll record them here; please consider fixing them, but there's no need to respond further. — Section 1 — This document aims to support both: I suggest saying what it does, rather than what it aims to do. Also (nit), as the two numbered items are each multiple sentences, the intro is better worded thus: NEW This document supports both of the following: END Such MUA can present nice User Interface to the user and automate certificate issuance. Nits: there are articles missing, “user interface” doesn’t need capitalization, and “user interface to the user” is redundant: NEW Such an MUA can present a nice interface to the user and automate certificate issuance. END In the second bullet, make it “An MUA”, as we pronounce it “em-yoo-ay”, not “moo-ah”. — Section 3 — The process of issing an S/MIME certificate works as follows. Typo: make it “issuing”. — Section 3.1 — To aid in debugging (and in for some Typo: change “in for” to “for”. — Section 3.2 — In bullet 7: The text/plain body part (whether or not it is inside multipart/alternative) MUST contain a block of lines starting with the line "-----BEGIN ACME RESPONSE-----", followed by one or more line containing the base64url-encoded SHA-256 digest [FIPS180-4] of the key authorization, calculated from concatenated token-part1 (received over email) and token-part2 (received over HTTPS), as outlined in the 5th bullet in Section 3. You changed this from “3rd bullet” to the new “5th bullet”, but I don’t understand why: it’s still the third bullet that talks about how the content is formed.
Deborah Brungard Former IESG member
No Objection
No Objection
(for -10)
Not sent
Martin Duke Former IESG member
No Objection
No Objection
(for -10)
Sent
Robert Wilton Former IESG member
No Objection
No Objection
(for -10)
Not sent