IETF Logo Mail Archive

Re: [Acme] ACME breaking change: Most GETs become POSTs

Richard Barnes <rlb@ipv.sx> Fri, 31 August 2018 21:41 UTC

Return-Path: <rlb@ipv.sx>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B3F0A130E65 for <acme@ietfa.amsl.com>; Fri, 31 Aug 2018 14:41:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, T_DKIMWL_WL_MED=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N3TkqsHFsDbT for <acme@ietfa.amsl.com>; Fri, 31 Aug 2018 14:41:17 -0700 (PDT)
Received: from mail-oi0-x242.google.com (mail-oi0-x242.google.com [IPv6:2607:f8b0:4003:c06::242]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F412012785F for <acme@ietf.org>; Fri, 31 Aug 2018 14:41:16 -0700 (PDT)
Received: by mail-oi0-x242.google.com with SMTP id 8-v6so24249927oip.0 for <acme@ietf.org>; Fri, 31 Aug 2018 14:41:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=DLR4AwDkCwCKt87PGfTKgGlc3AbllCwphCnTx7m1XFU=; b=QjXDPpp9lxyKemmRAr9v2/WNNP+0YC+XEeT/Auj2Eh7RujUVAIOcPTT76fGnfuCsxi /eDr43DP5XvWB3iXv8evXTu0reOSgsWGgtabdDJ2MEfIOipTIEVDrTIRL3wPiFfQG0cE LCaK+uao6zj3S3+oo+FXFnKs2tMKyhV/p33fYI2VahSWUujBPvhdjdq3jLkx+epUTxsK O9pToNAnRLj6os5GCcqwsXb7dmkcb9ZU7fIYCvu6BNDf3rgt8aiJSl5uAaVAC2cFQdKB 0bqeJqlaZ2/cQ7jj04bssB3vwdXRhUxL3KL6xyDHz2hS7g6CYC0bzK5W1fGavDsxJuvX deCA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=DLR4AwDkCwCKt87PGfTKgGlc3AbllCwphCnTx7m1XFU=; b=mIK6P9CN/EjMD4Tk6kFBtBlXk5SodZ+RxKu/kSA4ymvIS1SGNVpaKvKZTOpKsj7vVv bMxqFPqS5UuVqKcbN/WdWX8h7K4OROXmGnax4YEfF52U5zBhal/Iq21xy+MQ/1J2AZrD VWd0wS77yx3m83zH3nXH6ETOXoMi12DMH7+GzIBzXzqyHX0m8hbOeXAiFeLQv10bopr9 piQB4YsZ5XDCoV8SM2YdBKU+UajSusdujb+LWTHPmMtt/NCA8DVzE8U9a0H2MuIrgAjo cKlBV6CXQs2RpMovdm9uExXwnpmckwFxVS44QNDYmiXVXna9kajqCL7hOYGsK56nGKx5 rLLA==
X-Gm-Message-State: APzg51AQfGYPnkr1u/tXkxuFsUSDsllxXTBxxnpRN6Feny7WPj/zsTnQ 8nEeM1Uj1qf3AO5sWFf3FwOPRYVr9ti0+5Y+fPVj3A==
X-Google-Smtp-Source: ANB0VdbTjs2g46OXZidCtpCQ7m8o/J/Msi16GqOCC3PmMtiq3uniiKC3XL5cEO2L5WYvF2IXQwMOIcgYgjqV7lHSv6Q=
X-Received: by 2002:aca:f189:: with SMTP id p131-v6mr9613132oih.14.1535751676080; Fri, 31 Aug 2018 14:41:16 -0700 (PDT)
MIME-Version: 1.0
References: <c33184f3-4e64-b7ea-babb-d29e2307f1f3@eff.org> <2a889461-da9e-d3bd-e5a8-688eda61c614@eff.org> <51509028-1939-4851-8BB5-41F94FA146A1@felipegasper.com> <CAL02cgTLEMAMZQicNvXzQrRnGeemrUojmGe_8r=e_YZCNazdsQ@mail.gmail.com> <D171FC21-64FA-4438-AF45-520B5AFEEBF7@akamai.com> <CAL02cgQXx0fBUuxa8ivwTk09J5h8tWiNP8b+8taY8wPJxLypeA@mail.gmail.com> <4404d740-504c-bba7-d30d-dff385bd1216@eff.org>
In-Reply-To: <4404d740-504c-bba7-d30d-dff385bd1216@eff.org>
From: Richard Barnes <rlb@ipv.sx>
Date: Fri, 31 Aug 2018 17:41:04 -0400
Message-ID: <CAL02cgQNtWAfqv_7++MLfpcM4hnhY8MGQpyxc2BG3YRBArcYQQ@mail.gmail.com>
To: Jacob Hoffman-Andrews <jsha@eff.org>
Cc: "Salz, Rich" <rsalz@akamai.com>, IETF ACME <acme@ietf.org>, Felipe Gasper <felipe@felipegasper.com>
Content-Type: multipart/alternative; boundary="0000000000001dcf550574c20d1b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/8a6emI9_QSoftRjW-hqcMYSVvN4>
Subject: Re: [Acme] ACME breaking change: Most GETs become POSTs
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 31 Aug 2018 21:41:19 -0000

On Fri, Aug 31, 2018 at 3:30 PM Jacob Hoffman-Andrews <jsha@eff.org> wrote:

> On 08/31/2018 07:25 AM, Richard Barnes wrote:
> > The problem with using POST-as-GET for certificate resources, as
> > Felipe I think pointed out, is that the thing that downloads the
> > certificate URL is often not an ACME player, doesn't have an account,
> > etc.  It's a web server or something. (cf. the STAR drafts.)  What I'm
> > saying is that it's painful to make them integrate with ACME and we
> > don't get any benefit.
> AFAIK, no current ACME client hands off certificate URLs to
> less-privileged processes.
>
> Keeping GETs for certificates undermines the goal of making the
> POST-as-GET change. Certificate resources may be constructed in
> enumerable ways, like:
>
> /account/100/certificate/3438
> /account/201/certificate/3439
> /account/100/certificate/3440*
>
> While many CAs may not consider correlation of certificates by account
> to be sensitive, our goal with this change is to eliminate a footgun for
> CAs who do consider it sensitive, by simply ensuring all requests are
> authenticated by default. Consistent authentication also has the
> potential to simplify by client and server libraries.
>
> I think it would be a mistake to carve out this exception in the main
> ACME spec for use cases that are still speculative. Instead, if there is
> a use case that truly requires unauthenticated certificate retrieval, it
> should be defined as an extension or an optional feature.
>

I understand the desire for uniformity; I'm just concerned we're going
overboard here.

I could live with this being optional, but I would prefer to go ahead and
add it (because STAR needs it) and keep the negotiation minimal.  I would
propose that we just say the server MAY accept GETs for certificate URLs,
returning 405 if not.

That way a client with a GET-based use case would have to either find out
out of band that the server was compatible, or else fail when it tries.
But that seems like an acceptable outcome to me.  If we need an "I always
do cert+GET" signal, we can toss it in the "meta" dictionary later.

--Richard


>
> In short, I think certificates should be POST-as-GET just like the other
> resources.
>
> *Note: I'm aware that certificate serial numbers must be randomized, but
> there is no requirement that the certificate serial number be present in
> the URL.
>

v2.23.0 | Report a Bug | By Email