Skip to main content

Early Review of draft-ietf-acme-onion-02
review-ietf-acme-onion-02-dnsdir-early-van-dijk-2024-08-20-00

Request Review of draft-ietf-acme-onion
Requested revision No specific revision (document currently at 07)
Type Early Review
Team DNS Directorate (dnsdir)
Deadline 2024-08-30
Requested 2024-08-17
Requested by Deb Cooley
Authors Q Misell
I-D last updated 2024-08-20
Completed reviews Dnsdir Early review of -02 by Peter van Dijk (diff)
Opsdir Early review of -02 by Qin Wu (diff)
Secdir Early review of -02 by Derrell Piper (diff)
Dnsdir Last Call review of -04 by Peter van Dijk (diff)
Genart Last Call review of -04 by Dale R. Worley (diff)
Secdir Last Call review of -04 by Derrell Piper (diff)
Secdir Telechat review of -05 by Derrell Piper (diff)
Dnsdir Telechat review of -05 by Matt Brown (diff)
Opsdir Telechat review of -05 by Qin Wu (diff)
Assignment Reviewer Peter van Dijk
State Completed
Request Early review on draft-ietf-acme-onion by DNS Directorate Assigned
Posted at https://mailarchive.ietf.org/arch/msg/dnsdir/GfrfjP8FRLW-3U97tFydS4JCoJE
Reviewed revision 02 (document currently at 07)
Result Ready w/nits
Completed 2024-08-20
review-ietf-acme-onion-02-dnsdir-early-van-dijk-2024-08-20-00
I am the assigned DNSDIR reviewer for this document. This review is for version
-02, although I see that the working version on GitHub is slightly newer.

While writing this review, I filed a PR on GitHub with a few small editorial
nits (https://github.com/AS207960/acme-onion/pull/3).

Note that while I am well versed in DNS, I'm somewhat weaker when it comes to
all of Tor, ACME, and X.509 in general, so it is possible I ask dumb questions
:-)

This document is in great shape and appears to be well thought out. I see
nothing that prevents publication, but I do have a few questions/small notes. I
have marked this review as "Ready with Nits".

I cannot fully vet section 3.2, but it did raise a question for me:

> nonce ... "It MUST NOT be valid for more than 30 days."

what does it mean for a nonce to have a validity period?

I also cannot fully judge section 4, but it seems coherent.

Section 6 comes closer to DNS than any other part of the document, and this
mapping of CAA into service data makes sense to me. The single bit
"caa-critical" signal in 6.3 is clever.

6.4 makes me wonder if we could do the same trick in DNS land - using DNSSEC
keys to sign a CAA sent in an ACME request, but I digress :)

In 6.4, will it be clear to people more proficient in ACME that a null value
for caa becomes a zero length string for signature calculation purposes?
(Assuming that that is true.)

I agree with the considerations in section 8.1, although I wonder what would
happen if the CA's software was running under something like `torify`.

Should 8.7 have a few words on Certificate Transparency?

The rest of 8 makes sense to me.

In Appendix A, the bit

  ".onion" s

looks weird. Perhaps lose the space? (There's another spurious space, with
different origins, before Iain's last name in the Acknowledgements.)