Last Call Review of draft-ietf-acme-email-smime-08
review-ietf-acme-email-smime-08-genart-lc-yee-2020-07-09-00

Request Review of draft-ietf-acme-email-smime
Requested rev. no specific revision (document currently at 14)
Type Last Call Review
Team General Area Review Team (Gen-ART) (genart)
Deadline 2020-07-09
Requested 2020-06-25
Authors Alexey Melnikov
Draft last updated 2020-07-09
Completed reviews Genart Last Call review of -08 by Peter Yee (diff)
Secdir Last Call review of -08 by Hilarie Orman (diff)
Secdir Telechat review of -10 by Hilarie Orman (diff)
Assignment Reviewer Peter Yee 
State Completed
Review review-ietf-acme-email-smime-08-genart-lc-yee-2020-07-09
Posted at https://mailarchive.ietf.org/arch/msg/gen-art/0-VruvkzodQPO6LV0Gl0hhwY_as
Reviewed rev. 08 (document currently at 14)
Review result Ready with Issues
Review completed: 2020-07-09

Review
review-ietf-acme-email-smime-08-genart-lc-yee-2020-07-09

I am the assigned Gen-ART reviewer for this draft. The General Area
Review Team (Gen-ART) reviews all IETF documents being processed
by the IESG for the IETF Chair. Please treat these comments just
like any other last call comments.

For more information, please see the FAQ at

<https://trac.ietf.org/trac/gen/wiki/GenArtfaq>.

Document: draft-ietf-acme-email-smime-08
Reviewer: Peter Yee
Review Date: 2020-07-09
IETF LC End Date: 2020-07-09
IESG Telechat date: Not scheduled for a telechat

Summary: This Informational Track draft defines an ACME challenge to be used in the issuance of S/MIME certificates. I have points I'd like to see clarified as well as some nits that need to be cleaned up before I would declare it ready. [Ready with Issues]

Major issues: None

Minor issues:

General: this draft doesn’t frame the operation of the ACME request that uses this challenge. It mentions a token-part2 that magically arrives over HTTPS, but gives no indication of why this happened or what causes the generation of the email challenge. Some context around when this challenge is invoked and what signals the ACME server that this challenge is required would be helpful. 

Page 3, 1st enumerated item: I find the definition of “first part of the token” to be far looser than it needs to be. You merely say that it needs to contain 64 bits of entropy. Is there an upper bound? Do you need to say anything about it not being reused in another challenge?

Page 4, example Subject header field: it would be much better if you gave an actual example of a base64url-encoded value here rather than some explanatory text in much the same way you have given actual, legal values for Date, Message-ID, etc. 

Page 5, section 3.2, 1st enumerated item, 1st sentence: it doesn’t seem like you particularly care what is in front of “ACME:”. While you say it’s typically “Re:” , it could be anything. Would there ever be a case to reject a response message based on what appears before “ACME:”? I’d like to see a little more rigor here on what’s required. Some characters followed by a colon and a white space before the “ACME:” suffices?

Page 5, section 3.2, 6th enumerated item, 2nd sentence: where it says “calculated based on”…, it would be preferable to point back to page 3, 2nd enumerated item where you explicitly indicate that the two token parts are concatenated.

Page 5, section 3.2, 6th enumerated item, last sentence: I’m assuming that ACME-unaware clients are only receiving this email in the case of the email being bounced to an administrator or returned to the user. In either case, it’s not the client that will be reading this outside-the-block text, it’s a user. There’s no processing to be done on that text.

Page 7, example Subject header field: use a real value here, please.


Nits/editorial comments:

Page 2, Section 1, 2nd paragraph, change "end user" to "end-user".

Page 2, section 3, 1st paragraph, 1st sentence: insert "a" before "dns".

Page 3, 2nd paragraph, insert "the" before "email".

Page 3, 1st enumerated item, 1st sentence: insert "The" at the beginning of the sentence. Change "bit" to "bits".

Page 3, 1st enumerated item, 2nd sentence: change "bit" to "bits".

Page 3, 2nd enumerated item, 1st sentence: insert "The" at the beginning of the sentence. Change “key-authz” to “keyAuthorization”.

Page 3, 3rd paragraph (the one immediately following the first two enumerated items): insert “the” before “CSR”.

Page 3, section 3.1, 1st enumerated item, 1st sentence: append a comma and “which” after “<token-part1>”. Change “bit” to “bits”.

Page 3, section 3.1, 1st enumerated item, 2nd sentence: insert “the” before “recommended”. Change “78 octet” to “78-octet”.

Page 3, section 3.1, 1st enumerated item, 3rd sentence: insert “the message” before “subject”. Change “subject” to “Subject”. Append “header field” after “Subject”. Append a comma after “i.e.”.

Page 3, section 3.1, 2nd enumerated item: insert “the” before “S/MIME”.

Page 3, section 3.1, 3rd enumerated item: insert “a” before “Reply-To”.

Page 4, section 3.1, 4th enumerated item, 2nd sentence: insert “the” before “type=acme”.

Page 4, section 3.1, 4th enumerated item, 3rd sentence: insert “the” before “syntax”. Insert “the” before “Auto-Submitted”.

Page 4, section 3.1, 5th enumerated item: this is a repeat of item 3 on page 3 and should be deleted.

Page 4, section 3.1, 6th enumerated item, 2nd sentence: insert “the” before “From”. Append a comma after “Content-Type”.

Page 4, section 3.1, 7th enumerated item, 4th sentence: insert “a” before “human”. Change the space after “human” to a hyphen.

Page 4, section 3.1, 7th enumerated item, 5th sentence: insert “the” before “multipart/signed”

Page 4, section 3.1, 1st paragraph after enumerated items: insert “An” before “Example”. Change “Example” to “example”.

Page 4, example body text, 2nd sentence: delete “an” before “S/MIME”.

Page 5, section 3.2, 1st enumerated item, 2nd sentence: change “bit” to “bits”.

Page 5, section 3.2, 1st enumerated item, 3rd sentence: insert “the” before “recommended”. Change “78 octet” to “78-octet”.

Page 5, section 3.2, 1st enumerated item, 4th sentence: insert “the message” before “subject”. Change “subject” to “Subject”. Append “header field” after “Subject”. Append a comma after “i.e.”.

Page 5, section 3.2, 6th enumerated item, 1st sentence: insert “The” at the beginning of the sentence. Change “Media” to “media”.

Page 5, section 3.2, 6th enumerated item, 2nd sentence: insert “the” before “base64url”. Change the space after “base64url” to a hyphen.

Page 5, section 3.2, 6th enumerated item, 3rd sentence: change “historic” to “historical”. Delete the period that follows the closing parenthesis. 

Page 5, section 3.2, 6th enumerated item, 4th sentence: change “the” to “a” before “line containing”.

Page 6, section 3.2, 8th enumerated item, 2nd sentence: insert “the” before “From”. Append a comma after “Content-Type”.

Page 6, 1st paragraph after the enumerated items: insert “An” before “Example”. Change “Example” to “example”.

Page 6, section 4, 2nd paragraph: change “non ASCII” to “non-ASCII”.

Page 7, section 6, 2nd paragraph, 1st sentence: insert “The” before “Security”. Change “Security” to “security”. Insert “the” before “email-reply-00”. Insert “the” before “security of”. Insert “the” before “email system”.

Page 7, section 6, 2nd paragraph, 2nd sentence: insert “a” before “user’s”. Change “feature” to “features”.

Page 7, section 6, 3rd paragraph, 1st sentence: insert “An” before “Email”. Change “Email” to “email”.

Page 10, Appendix A: delete an excess space in after “v.”.  Append a period after the “A” in “James A Baker”. Append a comma after “Schwartz”. Append a comma after “comments”.