Skip to main content

Early Review of draft-ietf-acme-onion-02
review-ietf-acme-onion-02-opsdir-early-wu-2024-08-26-00

Request Review of draft-ietf-acme-onion
Requested revision No specific revision (document currently at 07)
Type Early Review
Team Ops Directorate (opsdir)
Deadline 2024-08-30
Requested 2024-08-17
Requested by Deb Cooley
Authors Q Misell
I-D last updated 2024-08-26
Completed reviews Dnsdir Early review of -02 by Peter van Dijk (diff)
Opsdir Early review of -02 by Qin Wu (diff)
Secdir Early review of -02 by Derrell Piper (diff)
Dnsdir Last Call review of -04 by Peter van Dijk (diff)
Genart Last Call review of -04 by Dale R. Worley (diff)
Secdir Last Call review of -04 by Derrell Piper (diff)
Secdir Telechat review of -05 by Derrell Piper (diff)
Dnsdir Telechat review of -05 by Matt Brown (diff)
Opsdir Telechat review of -05 by Qin Wu (diff)
Assignment Reviewer Qin Wu
State Completed
Request Early review on draft-ietf-acme-onion by Ops Directorate Assigned
Posted at https://mailarchive.ietf.org/arch/msg/ops-dir/L54Fyb78Qd8Sw_sJcAxSRJh05Ic
Reviewed revision 02 (document currently at 07)
Result Has nits
Completed 2024-08-26
review-ietf-acme-onion-02-opsdir-early-wu-2024-08-26-00
I have reviewed this document as part of the Operational directorate's ongoing
effort to review all IETF documents being processed by the IESG.  These
comments were written with the intent of improving the operational aspects of
the IETF drafts. Comments that are not addressed in last call may be included
in AD reviews during the IESG review.  Document editors and WG chairs should
treat these comments just like any other last call comments.

The document defines extensions to the Automated Certificate Management
Environment (ACME) to allow for the automatic issuance of certificates to Tor
hidden services。

I have read v-02 of this draft, this draft is well written, I believe it is on
the right track, a few comments and suggestions below for your reference.

Major issues:
No

Minor Issues:
1. Section 2  said:
"
Version 2 addresses MUST NOT be used as
these are now considered insecure.
"
What is the version 2 addressess? where version 2 addresses in specified?
Are version 2 addresses referred to 16 characters? It lacks clarity to reader
who are not familiar with TOR specification.

2. Section 3 said:
"
The CA/Browser Forum Baseline Requirements [cabf-br] §B.2 define
   methods accepted by the CA industry for validation of ".onion"
   Special-Use Domain Names.
"

What does the symbol "§" represent? Section or Appendix? It is not common
to use this symbol in the internet draft.
The same comments are applied to other place using "§"?

3. Section 3.1.1 said:
"
   The existing "dns-01" challenge MUST NOT be used to validate ".onion"
   Special-Use Domain Names.
"
Why "dns-01" challenges MUST not be used? I see section 8.1 and appendix A
provides some context, would it be good to hook these sections together to
clarify why.

4. Section 3.1.2 said:
"
   The "http-01" challenge is defined as in [RFC8555] §8.3 may be used
   to validate a ".onion" Special-Use Domain Names, with the
   modifications defined in this standard, namely Client authentication
   to hidden services and Certification Authority Authorization (CAA).

"
which modifiation defined in this standards are referred to? Is this related to
an additional field "authkey" in the challenge object defined in section 4?
If the answer is yes, please add referenc to section 4.
The same comment applies to other place which mentions "modification defined in
this standard.".

5. Section 6 said:
"
with the following format:

   "caa" SP flags SP tag SP value NL
   [Any number of times]
"
Is this format related to ANBF or other standard format? where this format
specified? Can you provide a concrete reference?

Nits:
s/from its service descriptor it/from its service descriptor
There are several lines exceeding 69 characters.