Skip to main content

Extensions to Automatic Certificate Management Environment for End-User S/MIME Certificates


Roman Danyliw

No Objection

(Alvaro Retana)
(Deborah Brungard)
(Martin Duke)
(Robert Wilton)

Note: This ballot was opened for revision 10 and is now closed.

Roman Danyliw
Erik Kline
No Objection
Comment (2020-11-03 for -10) Sent
[ section 2 ]

* Use the 8174 text?

[ section 6 ]

* I think it's fair to all-caps RECOMMENDED the use of DNSSEC.
Murray Kucherawy
No Objection
Comment (2020-11-04 for -10) Sent
I support Barry's DISCUSS, especially the bit that references DMARC.  

You might mention in Security Considerations that the DKIM and DMARC RFCs discuss their dependence on the DNS as well, and their respective vulnerabilities.

It seems to me that the second paragraph of Security Considerations says approximately the same thing that the (1) bullet does in the same section.
Éric Vyncke
No Objection
Comment (2020-11-05 for -10) Not sent
Thank you for the work put behind this document, it could indeed be really useful.

My only comment is support to Barry's point about the intended status of the document.


Benjamin Kaduk Former IESG member
(was Discuss) Yes
Yes (2021-01-13 for -13) Sent
Thanks for the updates to get to the -13; they look really good.

The new text did inspire one further comment, though I don't see a
particular text change that might result, plus I spotted a few editorial nits.

Section 1

   1.  A Mail User Agent (MUA) which has built in ACME client aware of
       the extension described in this document.  (We will call such
       ACME clients "ACME-email-aware") Such MUA can present nice User
       Interface to the user and automate certificate issuance.

(nit?) In the parenthetical, are we calling the ACME clients or the MUA
"ACME-email-aware"?  Also, full stop for the end of the sentence.

Section 3

(nit?) In step 8, the MUST-level requirement in the last sentence probably
promotes it into not being a parenthetical.

Section 3.1

          If S/MIME signing is used, the certificate corresponding to
          the signer MUST have rfc822Name subjectAltName extension with
          the value equal to the From header field email address of the
          "challenge" email.

A strict equality requirement might make it operationally challenging to
use a unique "from" challenge for each request.  I don't see any
feasible alternative, though, as getting into + suffixes in the local
part seems like a non-starter for this document.

Also, nit: s/subjectAltName extension/a subjectAltName extension/
Alvaro Retana Former IESG member
No Objection
No Objection (for -10) Not sent

Barry Leiba Former IESG member
(was Discuss) No Objection
No Objection (2020-11-18 for -12) Sent
Thanks for discussing things with me and addressing my comments.  Version -12 takes care of all my comments except for the one in Section 2:  Please use the new BCP 14 boilerplate and add a normative reference to RFC 8174.

The changes from version -10 do introduce a few typos and nits, so I'll record them here; please consider fixing them, but there's no need to respond further.

— Section 1 —

   This document aims to support both:

I suggest saying what it does, rather than what it aims to do.  Also (nit), as the two numbered items are each multiple sentences, the intro is better worded thus:

   This document supports both of the following:

   Such MUA can present nice User	
   Interface to the user and automate certificate issuance.

Nits: there are articles missing, “user interface” doesn’t need capitalization, and “user interface to the user” is redundant:

   Such an MUA can present a nice
   interface to the user and automate certificate issuance.

In the second bullet, make it “An MUA”, as we pronounce it “em-yoo-ay”, not “moo-ah”.

— Section 3 —

   The process of issing an S/MIME certificate works as follows.

Typo: make it “issuing”.

— Section 3.1 —

   To aid in debugging (and in for some

Typo: change “in for” to “for”.

— Section 3.2 —
In bullet 7:

       The text/plain body part (whether or not it is
       inside multipart/alternative) MUST contain a block of lines
       starting with the line "-----BEGIN ACME RESPONSE-----", followed
       by one or more line containing the base64url-encoded SHA-256
       digest [FIPS180-4] of the key authorization, calculated from
       concatenated token-part1 (received over email) and token-part2
       (received over HTTPS), as outlined in the 5th bullet in
       Section 3.

You changed this from “3rd bullet” to the new “5th bullet”, but I don’t understand why: it’s still the third bullet that talks about how the content is formed.
Deborah Brungard Former IESG member
No Objection
No Objection (for -10) Not sent

Martin Duke Former IESG member
No Objection
No Objection (for -10) Sent

Robert Wilton Former IESG member
No Objection
No Objection (for -10) Not sent