Extensions to Automatic Certificate Management Environment for End-User S/MIME Certificates
RFC 8823

Note: This ballot was opened for revision 10 and is now closed.

Benjamin Kaduk (was Discuss) Yes

Comment (2021-01-13 for -13)
Thanks for the updates to get to the -13; they look really good.

The new text did inspire one further comment, though I don't see a
particular text change that might result, plus I spotted a few editorial nits.

Section 1

   1.  A Mail User Agent (MUA) which has built in ACME client aware of
       the extension described in this document.  (We will call such
       ACME clients "ACME-email-aware") Such MUA can present nice User
       Interface to the user and automate certificate issuance.

(nit?) In the parenthetical, are we calling the ACME clients or the MUA
"ACME-email-aware"?  Also, full stop for the end of the sentence.

Section 3

(nit?) In step 8, the MUST-level requirement in the last sentence probably
promotes it into not being a parenthetical.

Section 3.1

          If S/MIME signing is used, the certificate corresponding to
          the signer MUST have rfc822Name subjectAltName extension with
          the value equal to the From header field email address of the
          "challenge" email.

A strict equality requirement might make it operationally challenging to
use a unique "from" challenge for each request.  I don't see any
feasible alternative, though, as getting into + suffixes in the local
part seems like a non-starter for this document.

Also, nit: s/subjectAltName extension/a subjectAltName extension/

Roman Danyliw Yes

Alvaro Retana No Objection

Erik Kline No Objection

Comment (2020-11-03 for -10)
[ section 2 ]

* Use the 8174 text?

[ section 6 ]

* I think it's fair to all-caps RECOMMENDED the use of DNSSEC.

Martin Duke No Objection

Murray Kucherawy No Objection

Comment (2020-11-04 for -10)
I support Barry's DISCUSS, especially the bit that references DMARC.  

You might mention in Security Considerations that the DKIM and DMARC RFCs discuss their dependence on the DNS as well, and their respective vulnerabilities.

It seems to me that the second paragraph of Security Considerations says approximately the same thing that the (1) bullet does in the same section.

Robert Wilton No Objection

Éric Vyncke No Objection

Comment (2020-11-05 for -10)
No email
send info
Thank you for the work put behind this document, it could indeed be really useful.

My only comment is support to Barry's point about the intended status of the document.

Regards

-éric

(Barry Leiba; former steering group member) (was Discuss) No Objection

No Objection (2020-11-18 for -12)
Thanks for discussing things with me and addressing my comments.  Version -12 takes care of all my comments except for the one in Section 2:  Please use the new BCP 14 boilerplate and add a normative reference to RFC 8174.

The changes from version -10 do introduce a few typos and nits, so I'll record them here; please consider fixing them, but there's no need to respond further.

— Section 1 —

   This document aims to support both:

I suggest saying what it does, rather than what it aims to do.  Also (nit), as the two numbered items are each multiple sentences, the intro is better worded thus:

NEW
   This document supports both of the following:
END

   Such MUA can present nice User	
   Interface to the user and automate certificate issuance.

Nits: there are articles missing, “user interface” doesn’t need capitalization, and “user interface to the user” is redundant:

NEW
   Such an MUA can present a nice
   interface to the user and automate certificate issuance.
END

In the second bullet, make it “An MUA”, as we pronounce it “em-yoo-ay”, not “moo-ah”.

— Section 3 —

   The process of issing an S/MIME certificate works as follows.

Typo: make it “issuing”.

— Section 3.1 —

   To aid in debugging (and in for some

Typo: change “in for” to “for”.

— Section 3.2 —
In bullet 7:

       The text/plain body part (whether or not it is
       inside multipart/alternative) MUST contain a block of lines
       starting with the line "-----BEGIN ACME RESPONSE-----", followed
       by one or more line containing the base64url-encoded SHA-256
       digest [FIPS180-4] of the key authorization, calculated from
       concatenated token-part1 (received over email) and token-part2
       (received over HTTPS), as outlined in the 5th bullet in
       Section 3.

You changed this from “3rd bullet” to the new “5th bullet”, but I don’t understand why: it’s still the third bullet that talks about how the content is formed.

(Deborah Brungard; former steering group member) No Objection

No Objection ( for -10)
No email
send info