Skip to main content

Last Call Review of draft-ietf-acme-dtnnodeid-07

Request Review of draft-ietf-acme-dtnnodeid
Requested revision No specific revision (document currently at 14)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2021-11-29
Requested 2021-11-15
Authors Brian Sipos
I-D last updated 2021-11-29
Completed reviews Opsdir Last Call review of -07 by Linda Dunbar (diff)
Secdir Last Call review of -07 by Valery Smyslov (diff)
Genart Last Call review of -07 by Joel M. Halpern (diff)
Opsdir Telechat review of -10 by Linda Dunbar (diff)
Assignment Reviewer Valery Smyslov
State Completed
Request Last Call review on draft-ietf-acme-dtnnodeid by Security Area Directorate Assigned
Posted at
Reviewed revision 07 (document currently at 14)
Result Has issues
Completed 2021-11-29
I have reviewed this document as part of the security directorate's ongoing
effort to review all IETF documents being processed by the IESG.  These
comments were written primarily for the benefit of the security area directors.
Document editors and WG chairs should treat these comments just like any other
last call comments.

The draft specifies an extension to the Automated Certificate Management
Environment (ACME) protocol that allows to automatically issue and manage
certificates for nodes in the Delay-Tolerant Networking (DTN) networks.


I was hesitating whether it is a real issue or just the lack of my
understanding of the protocol, but finally decided to mark it as an issue.
Section 5.1 states that CSR MAY contain a mixed set of SAN claims, including
combinations of "ip", "dns", and "bundleEID" claims. However, this document
only defines how ACME server can validate "bundleEID" claim. I think that the
document should at least mention how "dns" and "ip" claims should be validated
(pointing to the appropriate specs).


The document uses both MUST and SHALL keywords. Not a problem, but I think
readability of the document would increase if only one of these forms were used.

Section 7.6.
I think that it should be mentioned more explicitly that these channels must
provide mutual authentication of ACME client/server and corresponding BP
agents, and that the channels must protect integrity and authenticity of the
messages, and in some situations (when client account key thumbprint is
transmitted) also their confidentiality. These are standard security services
and I think it's better to use these terms.