Hi Thomas, Trimming to just the one part that needs a response other than "thanks"...
On Fri, Jun 11, 2021 at 08:54:17AM +0000, Thomas Fossati wrote: > Hi Ben, > > Thank you again for your comments; Yaron has just pushed -09 which > should address most of them -- see below for the detail. > > On 10/06/2021, 08:00, "Benjamin Kaduk" <[email protected]> wrote: > > Section 3 > > > > Although most of this document, and in particular Section 2 is > > focused on the protocol between the NDC and to IdO, the protocol does > > affect the ACME server running in the CA. A CA that wishes to > > support certificate delegation MUST also support unauthenticated > > > > Is it correct to say "non-STAR certificate delegation" here? (The > > corresponding change needed to support STAR delegation would have been > > done already to support non-delegated STAR issuance, if I understand > > correctly.) > > I don't think the observation is correct: STAR issuance does not require > the server to support unauthenticated GET. It is a feature that the > client needs to request explicitly, and the server could refuse if it > does not implement it -- or for any other reason. (See Section 3.4 of > RFC8739.) > > Or have I misinterpreted your thought? My thinking was something along the lines of "the new protocol mechanisms in this document don't affect the CA operation for the STAR issuance case, since the CA protocol mechanisms for the STAR case are specified in RFC 8739". But you are also correct to say that in order to use the mechanisms in this document the CA has to do/implement something that 8739 did not require of it. Since this text is not clearly about "new protocol mechanisms" vs "actually using the protocol", I think you are correct and we should leave the text as-is. Thanks again for all the updates and explanations! -Ben _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
