Hi! I performed an AD review of draft-ietf-acme-subdomains-04. Thanks for this work to extend ACME capability. I have a few comments below, but they aren't significant enough to hold the document. Please address them concurrently with IETF LC.
** Section 1. Editorial. ACME [RFC8555] defines a protocol that a certification authority (CA) and an applicant can use to automate the process of domain name ownership validation and X.509v3 (PKIX) [RFC5280] certificate issuance. This document outlines how ACME can be used to issue subdomain certificates, without requiring the ACME client to explicitly fulfill an ownership challenge against the subdomain identifiers - the ACME client need only fulfill an ownership challenge against a parent domain identifier. Sentence one talks about a "CA" and an "applicant". With no bridging, sentence two starts using a different term of "ACME client". ** Section 2. Editorial. This section takes direct quotes out of RFC8499 but does not put quotation marks around them. However, when text is taken from RFC1034 it has quotes. Recommend consistency. ** Section 3. As with the clarification on identifiers", consider saying a bit more about ACME supporting multiple validation methods. Point to https://www.iana.org/assignments/acme/acme.xhtml#acme-validation-methods would make for an easy and durable enumeration. ** Section 3. ACME places the following restrictions on "identifiers": * [RFC8555] section 7.1.4: the only type of "identifier" defined by the ACME specification is an FQDN: "The only type of identifier defined by this specification is a fully qualified domain name (type: "dns"). The domain name MUST be encoded in the form in which it would appear in a certificate." It seems like there is a subtle distinction to clarify here. Yes, RFC8555 only specified the "dns" identifier. However, it also enabled a broader ACME ecosystem via https://www.iana.org/assignments/acme/acme.xhtml#acme-identifier-types. Isn't the relevant thing to say here that _this_ document only supports the "dns" identifier. Regards, Roman _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
