[Acme] Concerning alternative formats …
Felipe Gasper <felipe@felipegasper.com> Mon, 05 March 2018 14:11 UTC
Return-Path: <felipe@felipegasper.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 38ACA12D7E5 for <acme@ietfa.amsl.com>; Mon, 5 Mar 2018 06:11:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=felipegasper.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QsWZphxnoOEF for <acme@ietfa.amsl.com>; Mon, 5 Mar 2018 06:11:16 -0800 (PST)
Received: from web1.siteocity.com (web1.siteocity.com [67.227.147.204]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A1A38120454 for <acme@ietf.org>; Mon, 5 Mar 2018 06:11:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=felipegasper.com; s=default; h=To:References:Message-Id: Content-Transfer-Encoding:Cc:Date:In-Reply-To:From:Subject:Mime-Version: Content-Type:Sender:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=Dk+mHLpfedldWRkgQZ9/qLuhAY7Ui8fD5GOcHBWX8QQ=; b=ib3lisPZD1I7Y5WW39oyO3ag5 jBM4W205afuIwH3WFzOlNqsLXPx/3y6Fa5LSmF5Iu0WQedrQ8t6JAT07nVUjLR0tGqJ6K7CLxFVjL u6AIIi4SD/G6aeMGvdabvhv2fTQ+RTv1WbJcR5GQa8i73I+J5qK5XxgOeP9tSr4jLgpvExJxa5Yp2 idXQDWD+RYlIKOT3wEXLheP94gOGpeAKcT6D0ZXXV2cP499dHAl4oAy2ui8+JeT77LV3yKztuRbW9 I2G3HKo4KUS5D38ejmdzFWtSvDB4rPWS58zQgYW91sJo0wBeZ5g5I2J2sxzYHn40cSkzEhMfilHfP agnbaVGuQ==;
Received: from cpe64777d56aa33-cm64777d56aa30.cpe.net.cable.rogers.com ([99.248.33.160]:50549 helo=[192.168.0.10]) by web1.siteocity.com with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from <felipe@felipegasper.com>) id 1esqpT-0007de-18; Mon, 05 Mar 2018 08:11:12 -0600
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 11.2 \(3445.5.20\))
From: Felipe Gasper <felipe@felipegasper.com>
In-Reply-To: <CABkgnnVu9MjfMtJ7tmoTBLT+3qoX2YPZqau92YUW=XqoL-Uf7Q@mail.gmail.com>
Date: Mon, 05 Mar 2018 09:11:02 -0500
Cc: Richard Barnes <rlb@ipv.sx>, Logan Widick <logan.widick@gmail.com>, ACME WG <acme@ietf.org>, Jörn Heissler <acme-specs@joern.heissler.de>, Fraser Tweedale <frase@frase.id.au>
Content-Transfer-Encoding: quoted-printable
Message-Id: <50502D5E-89F4-4CEC-A947-AF37032A0381@felipegasper.com>
References: <CAMmAzEKJhMaUBtCWSNZyGv-f+-edZ-WTq3=WFD_b1bXfvua89A@mail.gmail.com> <20180106001126.GB3076@carrot.tutnicht.de> <CAMmAzELgjpAmVCX6YB0VMvNQV3NH3NDdM_pdcz6d+h=ZO2rJww@mail.gmail.com> <CAMmAzEKMffffrxAihotVWPpqy=LaRkpSJuW9CpSVoQfLQ-nBwQ@mail.gmail.com> <CAL02cgRLXkkQECF5ssGh39uFL0xJp-3EODxGSQVzfPuEnE7FgA@mail.gmail.com> <63F4F466-8398-41E6-BD25-5414ADA9D1B3@felipegasper.com> <CAMmAzEKksnuBi0LPHsAsd2qs1brbMqrJBdtsbArTr6HhGrkN+A@mail.gmail.com> <CAL02cgRrH9fG-E9_oc4naSNvE4igaUcs9wXDfTtCTUCx+c4wbg@mail.gmail.com> <20180304125854.GH2161@carrot.tutnicht.de> <CAMmAzEJ0A2iOd2ASSHGJRfuB6Ss-BaOCXWsxUKUZx9UUzbT1ng@mail.gmail.com> <20180304143300.GI2161@carrot.tutnicht.de> <CAMmAzELuDLp4KxPtLgHp8AoyKGLOOjx4HPSrhDJ=yJ9RytU_vw@mail.gmail.com> <CAL02cgSAQaE0Qd=q3aSEDZdGe0TwyHs60xn-042OhKxu5LHxYA@mail.gmail.com> <CABkgnnWKhQ99qHtN8PkyG=6zNbJeGPYstL7Hgek36nR+747oHg@mail.gmail.com> <CAL02cgQFvVNEyBEAPsPdAtWK+VL0aPxdDqhZc_yrVLza4keZmg@mail.gmail.com> <CABkgnnUeiZvckTBRZNAv1Psg+ge-xK+y6vhSA4h2Ve_9_Nt8cg@mail.gmail.com> <CAL02cgSbgr69Qbd23MfF=gOrDn6wUXwDfx0Qv=H6RczoC2uasA@mail.gmail.com> <CABkgnnVu9MjfMtJ7tmoTBLT+3qoX2YPZqau92YUW=XqoL-Uf7Q@mail.gmail.com>
To: Martin Thomson <martin.thomson@gmail.com>
X-Mailer: Apple Mail (2.3445.5.20)
X-OutGoing-Spam-Status: No, score=-1.0
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - web1.siteocity.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - felipegasper.com
X-Get-Message-Sender-Via: web1.siteocity.com: authenticated_id: fgasper/from_h
X-Authenticated-Sender: web1.siteocity.com: felipe@felipegasper.com
X-Source:
X-Source-Args:
X-Source-Dir:
X-From-Rewrite: unmodified, already matched
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/9kC8464NxLev-WcXCwnfgfD__6Y>
Subject: [Acme] Concerning alternative formats …
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Mar 2018 14:11:23 -0000
For what it’s worth: Regarding alternative formats, I think ACME over WebSocket would be a great thing. Replay-nonce would go away, and clients wouldn’t need to poll for the certificate unless the connection dropped. The server could send the certificate as soon as it’s ready. A simple handshake at the start could take the place of JWS, too. -F > On Mar 5, 2018, at 12:02 AM, Martin Thomson <martin.thomson@gmail.com> wrote: > > Unless you believe that an alternative format is ever desirable. CBOR > for version 2 might be a terrible idea, but I know the IETF well > enough not to rule that out entirely. > > On Mon, Mar 5, 2018 at 3:38 PM, Richard Barnes <rlb@ipv.sx> wrote: >> I also note that there's no issue with Accept if we require the use of the >> Flattened JSON serialization. >> >> https://i.imgflip.com/25r2ui.jpg >> >> https://github.com/ietf-wg-acme/acme/pull/410 >> >> On Sun, Mar 4, 2018 at 6:28 PM, Martin Thomson <martin.thomson@gmail.com> >> wrote: >>> >>> That's a bit silly. I'll follow-up with httpbis. I think that's an >>> error, though probably only an error of omission. 7694 was so fixated >>> on solving the content-coding issue, it neglected the obvious >>> accompanying fix. >>> >>> On Mon, Mar 5, 2018 at 9:38 AM, Richard Barnes <rlb@ipv.sx> wrote: >>>> How about Accept? It looks like 7694 gives the server a way to specify >>>> encodings, but not the content type. But 7231 says that Accept only >>>> replies >>>> to response media types. >>>> >>>> On Sun, Mar 4, 2018 at 5:33 PM, Martin Thomson >>>> <martin.thomson@gmail.com> >>>> wrote: >>>>> >>>>> 415 is for the case where a client provides bad request content, so >>>>> yes. >>>>> See rfc7694 for details. >>>>> >>>>> 406 is for failed conneg. Not something you expect to see much here. >>>>> >>>>> >>>>> On 5 Mar. 2018 09:25, "Richard Barnes" <rlb@ipv.sx> wrote: >>>>> >>>>> The lengths of the emails in this thread illustrate the complexity risk >>>>> here :) >>>>> >>>>> In the interest of simplicity, I would really like to stick to >>>>> Flattened >>>>> JSON unless someone has **strong** objections. >>>>> >>>>> Logan, to your point about library compatibility, two notes: (1) it's >>>>> OK >>>>> if we front-run libraries a little. It's not hard for libraries to >>>>> upgrade; >>>>> this is only formatting, no crypto changes needed. (2) Empirically, >>>>> this >>>>> must not be too big a blocker for people, since as Jacob notes, Let's >>>>> Encrypt only supports Flattened JSON right now and they've got a bunch >>>>> of >>>>> clients talking to them. >>>>> >>>>> As far as headers / response codes: You're correct that 406 is wrong / >>>>> 415 >>>>> is right. But ISTM that Accept is still the right header to say what >>>>> is >>>>> right. So the server should return 415+Accept. Copying Thomson to >>>>> check >>>>> our work here. >>>>> >>>>> --Richard >>>>> >>>>> On Sun, Mar 4, 2018 at 10:43 AM, Logan Widick <logan.widick@gmail.com> >>>>> wrote: >>>>>> >>>>>> How about this: Specify a default format (either "application/jose" >>>>>> for >>>>>> Compact Serialization, or "application/jose+json" with Flattened >>>>>> Serialization - I have no preference which one), with optional support >>>>>> for >>>>>> other formats if needed? Even with JOSE libraries that don't support >>>>>> all >>>>>> serializations and/or don't provide control over which serialization >>>>>> is >>>>>> used, a programmer would at least need to know (or experimentally find >>>>>> out) >>>>>> if a JSON serialization or if the compact one is being produced. If a >>>>>> JSON >>>>>> serialization is selected as the default, a programmer should be able >>>>>> to >>>>>> convert between the two JSON serializations easily as needed before >>>>>> and/or >>>>>> after using a JOSE library. If a JSON format is declared as the >>>>>> default but >>>>>> the JOSE library only has the compact one, or vice-versa, conversion >>>>>> before >>>>>> and/or after the JOSE library would be more complex but should still >>>>>> be >>>>>> doable with guidance. >>>>>> >>>>>> The directory meta item could be defined as something like: >>>>>> >>>>>> supportedSerializations: An array of supported serialization formats >>>>>> as >>>>>> described in {{jws-serialization-formats}}. If this is not specified, >>>>>> assume >>>>>> that the server only supports [insert selected default here]. >>>>>> >>>>>> Then, the JWS Serialization Formats section could be changed to >>>>>> something >>>>>> like the following: >>>>>> >>>>>> The JSON Web Signature (JWS) specification {{!RFC7515}} contains >>>>>> multiple >>>>>> JWS serialization formats. When sending an ACME request with a >>>>>> non-empty >>>>>> body, an ACME client implementation SHOULD use the HTTP Content-Type >>>>>> {{!RFC7231}} header to indicate which JWS serialization format is used >>>>>> for >>>>>> encapsulating the ACME request payload. >>>>>> >>>>>> Each serialization format defined for use in ACME is described with a >>>>>> content type, and a series of ACME-specific restrictions on root JWS >>>>>> and >>>>>> nested JWS instances. A "root JWS" is a JWS used to encapsulate an >>>>>> entire >>>>>> ACME request payload, and a "nested JWS" is a JWS contained within the >>>>>> ACME >>>>>> request payload (such as the "externalAccountBinding" described in >>>>>> {{external-account-binding}} or the "key-change" object described in >>>>>> {{account-key-roll-over}}). Below are the JWS serialization formats >>>>>> that are >>>>>> defined for use in ACME: >>>>>> >>>>>> [same list as before but with the default format coming first] >>>>>> >>>>>> If no Content-Type is provided, the default serialization type is >>>>>> [insert >>>>>> selected default here]. Servers MUST support [insert selected default >>>>>> here]. >>>>>> [NOTE: If a JSON format is selected as the default, say that a server >>>>>> SHOULD >>>>>> support the other JSON format.] A server MAY support additional >>>>>> serializations, such as [insert serialization(s) not picked here], by >>>>>> including a "supportedSerializations" field in the directory "meta" >>>>>> object >>>>>> as described in {{directory}}. >>>>>> >>>>>> If a server receives a request using a serialization it does not >>>>>> support, >>>>>> the server MUST send a response with HTTP status code 415 >>>>>> (Unacceptable >>>>>> Media Type) and a problem document with error type >>>>>> "unsupportedSerialization". This problem document SHOULD contain a >>>>>> "supportedSerializations" array of strings indicating the acceptable >>>>>> serialization content types. >>>>>> >>>>>> [TODO: If a client uses the General JSON Serialization but it turns >>>>>> out >>>>>> the server only supports the Flattened JSON Serialization (or >>>>>> vice-versa), >>>>>> explain that a 415 response indicates that the client will need to >>>>>> switch >>>>>> JSON formats] >>>>>> >>>>>> [TODO: Insert a sentence or two specifying what happens if a supported >>>>>> serialization is used but the serialization is malformed? Should this >>>>>> be 400 >>>>>> Bad Request + malformed error code + supportedSerializations?] >>>>>> >>>>>> In the examples below, JWS objects are shown in the Flattened JSON >>>>>> serialization, with the protected header and payload expressed as >>>>>> base64url(content) instead of the actual base64-encoded value, so that >>>>>> the >>>>>> content is readable. [Example readability is a very high priority >>>>>> regardless >>>>>> of which serialization format is actually chosen as the default, and >>>>>> the >>>>>> current convention of Flattened JSON + base64url(content) is about as >>>>>> readable as it gets, so I don't think any changes will need to be made >>>>>> here] >>>>>> >>>>>> >>>>>> On Sun, Mar 4, 2018 at 8:33 AM, Jörn Heissler >>>>>> <acme-specs@joern.heissler.de> wrote: >>>>>>> >>>>>>> On Sun, Mar 04, 2018 at 07:45:36 -0600, Logan Widick wrote: >>>>>>>> Good catch. Should it be 415 (Unsupported Media Type) plus which of >>>>>>>> the >>>>>>>> following (or which combination of the following): >>>>>>>> >>>>>>>> - A new problem document field (tentatively named >>>>>>>> "supportedSerializations": an array of media type strings)? >>>>>>>> - A new directory field (tentatively named >>>>>>>> "supportedSerializations": an >>>>>>>> array of media type strings)? >>>>>>>> - Should this go in the directory's "meta" object, or in the >>>>>>>> directory object itself? >>>>>>>> - A HTTP header? >>>>>>>> - Something else? >>>>>>> >>>>>>> I like the directory approach with meta. Then a client could >>>>>>> use this information before sending the first POST. Else the client >>>>>>> would need to change an internal state after receiving the error >>>>>>> message. For my own client, I'm planning to support the OpenPGP smart >>>>>>> card. It takes 3 seconds to generate a signature. If a signature is >>>>>>> wasted to find out that the default serialization is not supported, >>>>>>> it >>>>>>> would be annoying. Having to write a configuration file "use compact >>>>>>> by >>>>>>> default for CA foo" would be stupid too. >>>>>>> >>>>>>> This, and the problem document field. "supportedSerializations" >>>>>>> sounds >>>>>>> fine. >>>>>>> >>>>>>> Should the two features be OPTIONAL? >>>>>>> >>>>>>> I don't like HTTP headers, it's quite complicated to parse them >>>>>>> correctly. >>>>>>> JSON is so much easier. >>>>>>> >>>>>>> >>>>>>> Or... specify that flattened MUST BE used :-) >>>>>>> >>>>>>> Cheers >>>>>>> Joern Heissler >>>>>> >>>>>> >>>>> >>>>> >>>> >> >> > > _______________________________________________ > Acme mailing list > Acme@ietf.org > https://www.ietf.org/mailman/listinfo/acme
- [Acme] Specify which JWS serialization is used Jörn Heissler
- Re: [Acme] Specify which JWS serialization is used Logan Widick
- Re: [Acme] Specify which JWS serialization is used Fraser Tweedale
- Re: [Acme] Specify which JWS serialization is used Logan Widick
- Re: [Acme] Specify which JWS serialization is used Logan Widick
- Re: [Acme] Specify which JWS serialization is used Jörn Heissler
- Re: [Acme] Specify which JWS serialization is used Logan Widick
- Re: [Acme] Specify which JWS serialization is used Logan Widick
- Re: [Acme] Specify which JWS serialization is used Jörn Heissler
- Re: [Acme] Specify which JWS serialization is used Logan Widick
- Re: [Acme] Specify which JWS serialization is used Logan Widick
- Re: [Acme] Specify which JWS serialization is used Richard Barnes
- Re: [Acme] Specify which JWS serialization is used Felipe Gasper
- Re: [Acme] Specify which JWS serialization is used Logan Widick
- Re: [Acme] Specify which JWS serialization is used Richard Barnes
- Re: [Acme] Specify which JWS serialization is used Jacob Hoffman-Andrews
- Re: [Acme] Specify which JWS serialization is used Logan Widick
- Re: [Acme] Specify which JWS serialization is used Jörn Heissler
- Re: [Acme] Specify which JWS serialization is used Jörn Heissler
- Re: [Acme] Specify which JWS serialization is used Logan Widick
- Re: [Acme] Specify which JWS serialization is used Jörn Heissler
- Re: [Acme] Specify which JWS serialization is used Logan Widick
- Re: [Acme] Specify which JWS serialization is used Richard Barnes
- Re: [Acme] Specify which JWS serialization is used Martin Thomson
- Re: [Acme] Specify which JWS serialization is used Martin Thomson
- Re: [Acme] Specify which JWS serialization is used Richard Barnes
- Re: [Acme] Specify which JWS serialization is used Martin Thomson
- Re: [Acme] Specify which JWS serialization is used Richard Barnes
- Re: [Acme] Specify which JWS serialization is used Martin Thomson
- [Acme] Concerning alternative formats … Felipe Gasper
- Re: [Acme] Concerning alternative formats … Jörn Heissler
- Re: [Acme] Concerning alternative formats … Felipe Gasper
- Re: [Acme] Concerning alternative formats … Matthew D. Hardeman
- Re: [Acme] Concerning alternative formats … Felipe Gasper
- Re: [Acme] Concerning alternative formats … Richard Barnes
- Re: [Acme] Concerning alternative formats … Martin Thomson
- Re: [Acme] Concerning alternative formats … Matthew D. Hardeman
- Re: [Acme] Concerning alternative formats … Felipe Gasper