address comments from AD review

AS207960 · Nov 7, 2024 · 1e17462 · 1e17462
1 parent 7d9bb8b
commit 1e17462
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 10 deletions.
diff --git a/draft-ietf-acme-onion.xml b/draft-ietf-acme-onion.xml
@@ -8,7 +8,8 @@
 ]>
 
 <rfc xmlns:xi="http://www.w3.org/2001/XInclude"
-     ipr="trust200902" submissionType="IETF" category="std" version="3" docName="draft-ietf-acme-onion-latest">
+     ipr="trust200902" submissionType="IETF" category="std" version="3" docName="draft-ietf-acme-onion-latest"
+     consensus="true">
   <front>
     <title abbrev="ACME for .onion">Automated Certificate Management Environment (ACME) Extensions for ".onion"
       Special-Use Domain Names</title>
@@ -22,7 +23,7 @@
           <code>CF23 9EU</code>
           <country>United Kingdom</country>
         </postal>
-        <email>q@as207970.net</email>
+        <email>q@as207960.net</email>
         <email>[email protected]</email>
         <uri>https://magicalcodewit.ch</uri>
       </address>
@@ -65,8 +66,8 @@
         <t>The key words <bcp14>MUST</bcp14>, <bcp14>MUST NOT</bcp14>, <bcp14>REQUIRED</bcp14>, <bcp14>SHALL</bcp14>,
           <bcp14>SHALL NOT</bcp14>, <bcp14>SHOULD</bcp14>, <bcp14>SHOULD NOT</bcp14>, <bcp14>RECOMMENDED</bcp14>,
           <bcp14>NOT RECOMMENDED</bcp14>, <bcp14>MAY</bcp14>, and <bcp14>OPTIONAL</bcp14> in this document are to be
-          interpreted as described in <xref target="BCP14"/> when, and only when, they appear in all capitals,
-          as shown here.</t>
+          interpreted as described in <xref target="BCP14"/> (<xref target="RFC2119"/>, <xref target="RFC8174"/>) when,
+          and only when, they appear in all capitals, as shown here.</t>
       </section>
     </section>
 
@@ -113,7 +114,9 @@
             ".onion" Special-Use Domain Names, with the modifications defined in this standard, namely
             <xref target="client-auth"/>, and <xref target="caa"/>.</t>
           <t>The ACME server <bcp14>SHOULD</bcp14> follow redirects; note that these <bcp14>MAY</bcp14> be redirects to
-            non ".onion" services, and the server <bcp14>SHOULD</bcp14> honour these.</t>
+            non ".onion" services, and the server <bcp14>SHOULD</bcp14> honour these. See
+            <xref target="RFC8555" section="10.2"/> for security considerations on why a server might not want to
+            follow redirects.</t>
         </section>
         <section>
           <name>Existing "tls-alpn-01" Challenge</name>
@@ -136,8 +139,9 @@
           <dd>The string <tt>onion-csr-01</tt></dd>
           <dt>nonce (required, string)</dt>
           <dd>A Base64 <xref target="RFC4648"/> encoded nonce, including padding characters.
-            It <bcp14>MUST</bcp14> contain at least 64 bits of entropy. A response generating using this nonce
-            <bcp14>MUST NOT</bcp14> be accepted by the ACME server if the nonce was generated more than 30 days ago.</dd>
+            It <bcp14>MUST</bcp14> contain at least 64 bits of entropy. A response generated  using this nonce
+            <bcp14>MUST NOT</bcp14> be accepted by the ACME server if the nonce used was generated by the server more
+            than 30 days ago.</dd>
           <dt>authKey (optional, object)</dt>
           <dd>The Ed25519 public key encoded as per <xref target="RFC8037"/>.</dd>
         </dl>
@@ -187,7 +191,7 @@ applicantSigningNonce ATTRIBUTE ::= {
           The public key presented in this CSR <bcp14>MUST</bcp14> be the public key corresponding to the ".onion"
           Special-Use Domain Name being validated. It <bcp14>MUST NOT</bcp14> be the same public key presented in the
           CSR to finalize the order.</t>
-        <t>Client respond with the following object to validate the challenge:</t>
+        <t>Clients respond with the following object to validate the challenge:</t>
         <dl>
           <dt>csr (required, string)</dt>
           <dd>
@@ -296,7 +300,7 @@ introduction-point AwAGsAk5nSMpAhRqhMHbTFCTSlfhP8f5PqUhe6DatgMgk7kSL3
           there is in the DNS there is no need, nor indeed any method available, to search up the DNS tree for a
           relevant CAA record set. Similarly, it is also impossible to check CAA records on the "onion" Special-Use TLD,
           as it does not exist in any form except as described in <xref target="RFC7686"/>, so implementors
-          <bcp14>MUST</bcp14> not look here either.</t>
+          <bcp14>MUST NOT</bcp14> look here either.</t>
         <t>Instead all subdomains under a ".onion" Special-Use Domain Name share the same CAA record set. That is,
           all of these share a CAA record set with "a.onion":</t>
         <ul>

diff --git a/lib b/lib
+1 −1		.circleci/config.yml
+10 −0		.github/dependabot.yml
+6 −6		.github/workflows/docker.yml
+1 −1		.github/workflows/template.yml
+1 −1		Gemfile
+1 −1		README.md
+3 −3		archive.mk
+38 −13		build-index.sh
+12 −0		build-targets.sh
+35 −9		config.mk
+98 −37		deps.mk
+9 −3		doc/ADOPTING.md
+6 −1		doc/FEATURES.md
+3 −0		doc/REPO.md
+32 −16		doc/SETUP.md
+8 −4		doc/SUBMITTING.md
+7 −4		doc/TEMPLATE.md
+11 −8		doc/TOOLS.md
+8 −19		docker/action/Dockerfile
+1 −1		docker/action/Gemfile
+2 −0		docker/action/entrypoint.sh
+8 −1		docker/math/Dockerfile
+2 −2		extract-metadata.py
+62 −0		get-email.sh
+38 −24		ghpages.mk
+14 −6		id.mk
+6 −5		main.mk
+9 −7		pre-commit.sh
+2 −1		setup-branch.sh
+6 −5		setup-note.sh
+1 −1		setup.mk
+1 −1		template/.github/workflows/archive.yml
+2 −2		template/.github/workflows/ghpages.yml
+10 −2		template/.github/workflows/publish.yml
+1 −1		template/.github/workflows/update.yml
+20 −3		template/issues.js
+0 −3		tests/setup.feature
+1 −1		trace.sh
+26 −12		upload.mk
+24 −34		v3.css
+10 −10		venv.mk