These changes resolve my concerns. Russ
> On Apr 9, 2021, at 5:40 PM, Brian Sipos <[email protected]> wrote: > > Russ, > Thank you for the review comments. My responses are inline with prefix > "[BS1]". > >> I think that this document is almost ready. I have a few comments. > >> MAJOR: > >> Section 4 points to Section 4.4.2 of [I-D.ietf-dtn-tcpclv4]; but that >> profile does not require the certificate to > include an EKU of id-kp-bundleSecurity. When this document is used to verify > control over the DTN Node ID, I think the > issued certificate MUST include an EKU of id-kp-bundleSecurity. If other > means are used to validate other identities, > then other EKU values might be included as well. > > [BS1] This seems reasonable to require. I suppose the "email-reply-00" > document [1] just leaves out any discussion of > EKU because the preexisting S/MIME documents define a more concrete > certificate profile and there is a lot of momentum > behind S/MIME implementation. I'm going to add statements about the EKU in > the CSR and the issued certificate. > >> Section 4.2 is talking about S/MIME certificates. I think there is a >> cut-and-paste error here. > > [BS1] Yes, these statements should replace "S/MIME" with "bundle security". > >> MINOR: > >> Section 3.1 says: "The only over-the-wire data required by ACME for a >> Challenge Bundle is a nonce token ...". This > is the first time that "nonce" appears in the document. Please reword. > > [BS1] I removed this statement and replaced it with a statement about the > token-part2 scope: > The <token-part2> value included in this object is fixed for the entire > challenge, and may correspond with multiple > separate <token-part1> values when multiple Challenge Bundles are sent for a > single validation. > >> Section 3.3 and 3.4: in the beginning of the section, please add a pointer >> to the document that defines these > parameters. I think it is draft-ietf-dtn-bpbis. > > [BS1] That is the correct reference. I am adding a statement at the top of > each section. > >> Section 6.1: please provide a reference for "BPSEC key material", and please >> spell out "BCB". > > [BS1] I removed this speculative text and replaced it with: > It is possible for intermediate BP nodes to encapsulate-and-encrypt Challenge > and/or Response Bundles while they > traverse untrusted networks, but that is a DTN configuration matter outside > of the scope of this document. > >> NITS: > >> Section 1: please spell out BP on first use. >> Section 2: s/wildcard ("*") character/wildcard character ("*")/ >> Section 6.2: please spell out "BIB". > > [BS1] I am correcting all of these typos. > > > [1] https://tools.ietf.org/html/draft-ietf-acme-email-smime-14 > > _______________________________________________ > Acme mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/acme _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
