IETF Logo Mail Archive

[art] Against BCP 190

Rob Stradling <rob@sectigo.com> Fri, 12 July 2019 16:45 UTC

Return-Path: <rob@sectigo.com>
X-Original-To: art@ietfa.amsl.com
Delivered-To: art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 48F6A120191 for <art@ietfa.amsl.com>; Fri, 12 Jul 2019 09:45:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=comodoca.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K-r-5512shR3 for <art@ietfa.amsl.com>; Fri, 12 Jul 2019 09:45:34 -0700 (PDT)
Received: from NAM01-BY2-obe.outbound.protection.outlook.com (mail-eopbgr810043.outbound.protection.outlook.com [40.107.81.43]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 517781201E4 for <art@ietf.org>; Fri, 12 Jul 2019 09:45:34 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Vrhcr0e9160Qchr3h/vHaHdpGObtGhOGtib6NBu46d659xelEWdV9Q4zvMD995cX60O/Wy/rFtnbclR3SZCLngdK8ixD34zMoUqwailb8tCglA2ecekIVCGQkzBcx60NboUv/+SSM/3P40kO2fUQL/CtleUdVE3LoW4q1CN8XTcbiAHAHrWiPz6y0cmd4i+VmlZ5wzJO2vqAiMdVzkVHNg2HtVpABHI8/wxwtD7ky+4QMYp3DZtZpV6NxMYV8DHw3GeZtE93bXwaLbVkla3FL0E4TCNyanSiA8EG5svNL7DR4VWeu1+RxgkK+U6Q7f7SURhjEhB7KIdWBQRoyR+ycA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=eB8OcN9aghpbDnPYkE0Tmgt7y1dDLI9MNfPMzNJZkaM=; b=I4muNB2bneqXP11occmp3tFVTQ+fvNpAci32A69O90HUgWlaneUe4nVWIAI8GoMfoSTdb/gqVVcgq47TmXWHBk9FVpyR+ALmp8UkR3dH2+Sldx5l/ci8yJWen/AOieLTVTVdhPniuzjN/4mH/ot+BZpH9EoSWD8qLm+9LGdNNkcNqNW+p31+PECBoFsU75jmdoCJZzbjsUxXv5E8xllfI0QUoUE3AZRnzZzQ2cUIYClRovutcWLcdJnoc+Xyd/OYr2MGujeqaG86N1nwccfTHCO4xPzTZWyFiaD8IkPMKNXEaYi6Oi1ztRm8hz0eUs4BYrfrciBpKMNBGZvXFRi2lg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1;spf=pass smtp.mailfrom=sectigo.com;dmarc=pass action=none header.from=sectigo.com;dkim=pass header.d=sectigo.com;arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comodoca.onmicrosoft.com; s=selector1-comodoca-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=eB8OcN9aghpbDnPYkE0Tmgt7y1dDLI9MNfPMzNJZkaM=; b=kgkk+w39IaNopFq1N+/KraSsKr2fU1S1kTrDW9YJqs2oexpA8ESVdxbj7F9JGXC2/NznIqSyZTUEqnu3p3oPqsCqT2sJNfyfFsiIOxN8fp021qLVND67awrZ4ANcIbiKajSrdyFUCDWj+kwtZtQfrpT+3zrwUp6Xc0EIkoLzp3k=
Received: from DM5PR17MB1211.namprd17.prod.outlook.com (10.173.132.148) by DM5PR17MB0937.namprd17.prod.outlook.com (10.168.115.9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2073.10; Fri, 12 Jul 2019 16:45:32 +0000
Received: from DM5PR17MB1211.namprd17.prod.outlook.com ([fe80::b556:345c:94cf:7258]) by DM5PR17MB1211.namprd17.prod.outlook.com ([fe80::b556:345c:94cf:7258%6]) with mapi id 15.20.2052.019; Fri, 12 Jul 2019 16:45:32 +0000
From: Rob Stradling <rob@sectigo.com>
To: "art@ietf.org" <art@ietf.org>
Thread-Topic: Against BCP 190
Thread-Index: AQHVONE49QiOuql8SkKGOYCD0sBxdg==
Date: Fri, 12 Jul 2019 16:45:31 +0000
Message-ID: <791b33b8-4696-f69c-aca3-8838b2caafd8@sectigo.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-clientproxiedby: CWLP123CA0083.GBRP123.PROD.OUTLOOK.COM (2603:10a6:401:5b::23) To DM5PR17MB1211.namprd17.prod.outlook.com (2603:10b6:3:8b::20)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=rob@sectigo.com;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [96.225.92.103]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 209543f7-a915-42f8-71ff-08d706e85a88
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:DM5PR17MB0937;
x-ms-traffictypediagnostic: DM5PR17MB0937:
x-ms-exchange-purlcount: 3
x-microsoft-antispam-prvs: <DM5PR17MB0937A1CA75A9AF47B1066BF3AAF20@DM5PR17MB0937.namprd17.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 00963989E5
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(979002)(396003)(39860400002)(136003)(346002)(376002)(366004)(189003)(199004)(478600001)(2906002)(2501003)(8676002)(81166006)(966005)(6486002)(6916009)(26005)(81156014)(1730700003)(2351001)(14444005)(5640700003)(66556008)(64756008)(66476007)(6436002)(66946007)(31686004)(2616005)(6116002)(186003)(66446008)(3846002)(66066001)(256004)(16799955002)(8936002)(7116003)(305945005)(476003)(99286004)(5660300002)(14454004)(7736002)(316002)(53936002)(71190400001)(25786009)(71200400001)(102836004)(6506007)(386003)(6306002)(68736007)(36756003)(86362001)(6512007)(52116002)(31696002)(486006)(969003)(989001)(999001)(1009001)(1019001); DIR:OUT; SFP:1101; SCL:1; SRVR:DM5PR17MB0937; H:DM5PR17MB1211.namprd17.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: sectigo.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: YfgxBTnBKUV1R1jCcyL+sfzQLl3h540Sbe5Ucu7S0xtxlJ5zdziTX9qO6xWy/n+LSvzGJcgNZmDfftSZIrqKXH/D0n2v+3lvyJpapR1VImjurpMDhnPtAtWYePeJAkY6y0Zzv9NGlhzCenqgTWJ4wyB6QOQDVkryS32vXy8KawGr+ucnGxZszTgbg4J23kvpmbnar86CLCbG2/+w5JgtFXHO1hTzDFexmqJwTzIb10ALWxe2D9jNjeFVZ5VaHmDlJMOklUnwBxyq+fV0Gix0TC4T2ZzEoyyhTxQcI8doBwcZvdItBVxHa3OAqCsTV9DqHNqXHc0kGROZGYefz2pfj3ekAIhTuk3/MR72RHlyCIBJDHoPg2NUn87LqjGrdnjP8O0LbCIh1u/Uq2IGmvctDg/Mr4HIqfQOqYrcU0JsXQ0=
Content-Type: text/plain; charset="utf-8"
Content-ID: <F770791EB4F5214E9E43CD9932407D1A@namprd17.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: sectigo.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 209543f7-a915-42f8-71ff-08d706e85a88
X-MS-Exchange-CrossTenant-originalarrivaltime: 12 Jul 2019 16:45:31.9617 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 0e9c4894-6caa-465d-9660-4b6968b49fb7
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: robs@comodoca.net
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR17MB0937
Archived-At: <https://mailarchive.ietf.org/arch/msg/art/rAP7xrOek1lpO96UU-xuG6bmKRc>
Subject: [art] Against BCP 190
X-BeenThere: art@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications and Real-Time Area Discussion <art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/art>, <mailto:art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/art/>
List-Post: <mailto:art@ietf.org>
List-Help: <mailto:art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/art>, <mailto:art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Jul 2019 16:45:37 -0000

During IESG review of RFC6962-bis (Certificate Transparency Version 
2.0), BCP 190 is creating significant problems in standardizing 
HTTP-based APIs.  Specifically, this paragraph of section 2.3 
(https://tools.ietf.org/html/bcp190#section-2.3):

    Specifying a fixed path relative to another (e.g., {whatever}/myapp)
    is also bad practice (even if "whatever" is discovered as suggested
    in Section 3); while doing so might prevent collisions, it does not
    avoid the potential for operational difficulties (for example, an
    implementation that prefers to use query processing instead, because
    of implementation constraints).

This paragraph should be struck.  It is out of date, since all modern 
web servers can trivially rewrite paths to query components and back 
again.  It also encourages inserting levels of indirection that add 
complexity and bugs.

In RFC6962, all paths are specified relative to a "log server" prefix 
that can contain a path as well as a server name and a port:

   POST https://<log server>/ct/v1/add-chain
   GET https://<log server>/ct/v1/get-sth
   GET https://<log server>/ct/v1/get-entries?start=1000&end=2000
   … 5 more request types defined similarly ...

This version of CT, which preceded BCP 190, has been in production use 
for several years, with multiple independent implementers on both the 
server side and the client side.  There have been no complaints that 
specifying paths in these ways is at all difficult or interferes with 
operation of other software.

A similar problem arose during ACME standardization.  At first it was 
solved by defining a "straight through" issuance path where each step 
provided a URL for the next step.  This was abandoned because there are 
plenty of issuance cases that are not straight-through - for instance, 
revocation.  Now ACME indirects all requests through a "directory" JSON 
object that maps, e.g. "newAuthz" to "https://example.com/newAuthz". 
This works moderately well, but adds complexity, increases the total 
number of requests, and as it turns out, may have bugs 
(https://www.rfc-editor.org/errata_search.php?eid=5771).

For 6962-bis, the TRANS WG has cycled through three different attempts 
to work around BCP 190: a .well-known path prefixing all the paths 
defined by the API, a directory, and treating the entire set of request 
types as parameters to a log definition delivered out of band.  All were 
found to be unsatisfactory.  The affected URI owners (log operators) are 
being prevented by BCP 190 from doing what they would prefer to do with 
their URI space, which is to use URIs constructed in the same manner as 
RFC6962 (with "/ct/v1" changed to "/ct/v2").

BCP 190 is standing in the way of standardizing simple, sensible HTTP 
APIs and should be amended.

Thanks,

-- 
Rob Stradling
Senior Research & Development Scientist
Sectigo Limited

v2.23.0 | Report a Bug | By Email