Barry Leiba has entered the following ballot position for draft-ietf-acme-tls-alpn-06: No Objection
When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-acme-tls-alpn/ ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- I have only editorial comments below. No response is needed — please just consider incorporating these, as I think they’ll help make the document clearer. — Abstract — This document specifies a new challenge for the Automated Certificate Management Environment (ACME) protocol which allows for domain control validation using TLS. This needs “that” insted of “which”, making the clause restrictive. — Section 3 — Trailing'=' padding characters MUST be stripped. There’s a space missing after “trailing”. The client prepares for validation by constructing a self-signed certificate which MUST contain a acmeIdentifier extension and a “That”, not “which”. The ACME server MUST provide a ALPN extension with the single protocol name "acme-tls/1" and a SNI extension containing only the domain name Change “a” to “an” in both places (unless you realy say “snee” instead of “ess en eye”). — Section 5 — The first assumption is that when a server is being used to serve content for multiple DNS names from a single IP address that it properly segregates control of those names to the users that own The second “that” needs to go; the first one covers it. a TLS request using a SNI value for Host A Again, “an”, unless… — Section 7 — The TLS ALPN challenge exists to replace the TLS SNI challenge defined in the early ACME drafts. This challenge was convenient for service providers who were either operating large TLS layer load What is the antecedent to “this”? Is it th ALPN challenge, or the SNI challenge? I have no idea; please clarify. A security issue was discovered in the TLS SNI challenge by Frans Rosen which allowed users of various service providers to The phrasing would be better this way, to avoid separation of the connected parts (the TLS SNI challenge was not by Frans Rosen): NEW A security issue in the TLS SNI challenge was discovered by Frans Rosen, which allowed users of various service providers to END (i.e. if User A registered Host A and User B registered Host B with a service provider that User A wouldn't be able to respond to SNI traffic for Host B). First, “i.e.” needs a comma after it. Second, I can’t parse this at all. Can you please rephrase it so it makes sense? This turns out not to be a security property provided by a number of large service providers. NEW It turns out that a number of large service providers do not honor this property. END Because of this users were able to respond to SNI traffic I’ve ignored a lot of missing commas, but this one really needs one after “this”. This meant that if User A and User B had registered Host A and Host B respectively User A would be able to claim the SNI name for Host B and when the validation connection was made that User A would be able to answer, proving 'control' of Host B. Comma needed both before and after “respectively”, and another after “made”. — Section 8 — and especially Frans Rosen who discovered the vulnerability in the TLS SNI method which necessitated the writing of this specification. Add a comma after “Rosen”, and change “which” to “that”. _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
