This a follow-on email with more specific comments on
draft-ietf-acme-acme-01.txt:
Couple of terminology points first. I note the use of the term TLS
certificates throughout the draft. TLS also supports DTCP certificates
(RFC 7562) is this format supported? If not, I suggest use of X.509
certificate throughout or invent another term and define it under
Terminology. I note the use of the terms domain (user domain apex, zone
may be more appropriate but the term is not widely used outside the DNS
world) and domain name (a name under the user domain apex), sometimes
used synonymously, sometimes not. As I read the spec both are
appropriate in certain contexts. Both terms should be defined precisely
under Terminology and used consistently.
Section 2.
It was not until I read para 2 of Terminology that the Deployment Model
became clearer. Certainly this clarifies that the ACME server is CA
operated and (one assumes) communication between them uses JSON over
HTTPS - but this is surely part of the deployment model and should be in
this section. Further, it is still not clear who
could/would/should/might provision the client: a CA independent third
party, an RA, a licensed agent of a CA or RA, a CA - all of the above?
Certainly bullets 2 and 3 of the subsequent Operator Experience are
client functions that lie outside the scope of the draft and would
absolutely not be present if a CA provides a ACME client as a customer
service. (these bullet points could be added as a note the illustrate
the kinds of functionality that could be provided by an ACME client if
required). Depending on who offers the ACME client there may be payment
models involved which, while being outside the scope of the draft, may
be a deployment limiting factor. In spite of the general discussion
about DV vs OV and EV certificates it was still not clear what type of
cert this draft was addressing (only kinda clarified in the last para of
section 4 as a DV with necessary limitations). Surely it should be made
explicit in section 2.
Section 4.
Each distinct step should have a subsection reference e.g. 4.1
Registration, da da etc. (makes commenting easier and forces logical
step separation) The sentence beginning 'The "add a domain" function...'
is completely out of place and indeed as far as I can tell the term
'"add a domain" function' is never used again in the entire draft. I
assume it references the section immediately following registration, so
this could be 4.2 Add a Domain (?? see my previous email also for other
implications), then 4.3 Certificate Issue. 4.4 Revokation Procedures or
whatever.
Regards
--
Ron Aitchison www.zytrax.com
ZYTRAX [email protected]
_______________________________________________
Acme mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/acme
