Skip to main content

Telechat Review of draft-ietf-acme-onion-05
review-ietf-acme-onion-05-opsdir-telechat-wu-2024-12-30-01

Request Review of draft-ietf-acme-onion
Requested revision No specific revision (document currently at 07)
Type Telechat Review
Team Ops Directorate (opsdir)
Deadline 2025-01-07
Requested 2024-12-06
Authors Q Misell
I-D last updated 2024-12-30
Completed reviews Dnsdir Early review of -02 by Peter van Dijk (diff)
Opsdir Early review of -02 by Qin Wu (diff)
Secdir Early review of -02 by Derrell Piper (diff)
Dnsdir Last Call review of -04 by Peter van Dijk (diff)
Genart Last Call review of -04 by Dale R. Worley (diff)
Secdir Last Call review of -04 by Derrell Piper (diff)
Secdir Telechat review of -05 by Derrell Piper (diff)
Dnsdir Telechat review of -05 by Matt Brown (diff)
Opsdir Telechat review of -05 by Qin Wu (diff)
Assignment Reviewer Qin Wu
State Completed
Request Telechat review on draft-ietf-acme-onion by Ops Directorate Assigned
Posted at https://mailarchive.ietf.org/arch/msg/ops-dir/Foqzzn74t3pPn5VBiI-ZPze6JyY
Reviewed revision 05 (document currently at 07)
Result Has nits
Completed 2024-12-30
review-ietf-acme-onion-05-opsdir-telechat-wu-2024-12-30-01
I have reviewed this document as part of the Operational directorate's ongoing
effort to review all IETF documents being processed by the IESG.  These
comments were written with the intent of improving the operational aspects of
the IETF drafts. Comments that are not addressed in last call may be included
in AD reviews during the IESG review.  Document editors and WG chairs should
treat these comments just like any other last call comments.

This draft extensions to the Automated Certificate Management Environment
(ACME) to allow for the automatic issuance of certificates to Tor hidden
services

This document is on the right track and ready for publication. I have the
following comments on v-05:

Major issues:
None

Minor issues
1. Section 2
s/ as defined in Part Special Hostnames/ as defined in Special Hostnames part
2. Section 3.2 said
“   The two methods already defined in ACME and allowed by the CA/BF do
   not allow issuance of wildcard certificates.
”
Which section of ACME document two methods, can you provide method name or
referenced section in ACME? Can you provide references for ACME in this
paragraph. Also I believe “the” in “The two methods” are not needed. 3. Section
3.2 said: “   A response generated using this nonce MUST NOT be accepted by the
      ACME server if the nonce used was generated by the server more
      than 30 days ago.
”
How does the server know nonce was generated 30+ days ago?
4. Section 6 said:
“   "caa" SP flags SP tag SP value NL
   [Any number of times]
”
Is NL standing for Newline or something else? There is no explanation in the
text. 5. Section 6.4.1 said: “the ACME client does not
   provide an "onionCAA" object in its finalize request the ACME server
   MUST respond with an "onionCAARequired" error to indicate this
”
Further, section 6.4.1 said:
“   Additionally, a new field is defined in the directory "meta" object
   to signal this.

   inBandOnionCAARequired (optional, boolean)  If true, the ACME server
      requires the client to provide the CAA record set in the finalize
      request.  If false or absent the ACME server does not require the
      client to provide the CAA record set is this manner.
”
Would you like to clarify whether “onionCAARquired” error is also linked to
inBandOnionCAA required? If they are not the same thing, can you provide an
example for “onionCAARequired” Error Example? If they are the same thing, I
feel the word “Additional” introducing ambiguity. 6. I am not sure “standard”
is right term used in this draft? Should we replace “in this standard” with “in
this specification”