IETF Logo Mail Archive

Re: [Acme] ACME breaking change: Most GETs become POSTs

Richard Barnes <rlb@ipv.sx> Fri, 31 August 2018 14:16 UTC

Return-Path: <rlb@ipv.sx>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 59412130DD1 for <acme@ietfa.amsl.com>; Fri, 31 Aug 2018 07:16:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, T_DKIMWL_WL_MED=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GXXWuPaLK79Q for <acme@ietfa.amsl.com>; Fri, 31 Aug 2018 07:16:53 -0700 (PDT)
Received: from mail-oi0-x22d.google.com (mail-oi0-x22d.google.com [IPv6:2607:f8b0:4003:c06::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 336A3130E41 for <acme@ietf.org>; Fri, 31 Aug 2018 07:16:53 -0700 (PDT)
Received: by mail-oi0-x22d.google.com with SMTP id c190-v6so21921275oig.6 for <acme@ietf.org>; Fri, 31 Aug 2018 07:16:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=UOmxJOHdkQSpKplepnmht5KAHz4nv+CAXlwmLGzBkCg=; b=u5Ws14Oz5L8V4ldSakopmHRVmUixgTOdMVsUshi2Q2sBuL1SuOpX1Q7xCVF8eSZFnj eTjMtwNm1hubpAgozUuqqdVRnRfkYbK6KeILmZahBOcExrNMBoh4X/QINlf4AnMU8yjN y8o2VktqUIhm3sjna4dNv8vR5GrAixJHlSOMFLEi+LP1Ly80XgcuopDcwRzSr3+K0fCX EHUwxB+sTWbjJ3PB9+2FbAFSWZDVxS7prPov+SNaZtMJWo6+RasLGR35aLBGrEx8ER4I a+uJTsEYSfk9yS/0afVbmvT2DVNuiYYxD+boVSDYAooPHPK/XapIij7k7A6fRYlhbKHa x5BQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=UOmxJOHdkQSpKplepnmht5KAHz4nv+CAXlwmLGzBkCg=; b=NaHALsFvH6s1PFNYtQNy8kifgEaCmZVevSjXFGLLX1ZkQ9kaD7oZwoREA97XAau1XQ NspbhoH3NUKuEbogJRAJIUnKB7/+y8y+0o68g2RXLUta1aUsVfGlM6DO4VsUIWSoQg3S 5JH4QoAaJE4xht2AqXxZ5Hq1DmjJuFZeILgtwCbOthU1dOuJQome3G3/JEeauea4S1+1 0zY+CPapiUkFVjaQCktv0nTJcaW5tOxnxlzrq0VxAABGL37fHM6IRhXS5LEB4GX5OSae g1JfEdPEjlL7UJaDmX7iUEbE/bEiclno/YRWaYkIeqf1vIsew82F/z2qB7tFJfSQlDOQ 978Q==
X-Gm-Message-State: APzg51DoUWmIXTl9e/oglLdvKkvnRFYreB9Rvk591ahkXU4JJ3qqFPfR 9lV4cd74jESyJuCR3/jVMylSsse6lLfpxcH5Egvlhybd
X-Google-Smtp-Source: ANB0VdbMAXk+B3awktk87NP6lg/SAYcpF+tAwOH0y4tx9takHze4kjyM9VhvY1nmcAOWldFr1OAwB5ULKs4NFezzaEI=
X-Received: by 2002:aca:3c45:: with SMTP id j66-v6mr7155867oia.118.1535725012251; Fri, 31 Aug 2018 07:16:52 -0700 (PDT)
MIME-Version: 1.0
References: <c33184f3-4e64-b7ea-babb-d29e2307f1f3@eff.org> <2a889461-da9e-d3bd-e5a8-688eda61c614@eff.org> <51509028-1939-4851-8BB5-41F94FA146A1@felipegasper.com>
In-Reply-To: <51509028-1939-4851-8BB5-41F94FA146A1@felipegasper.com>
From: Richard Barnes <rlb@ipv.sx>
Date: Fri, 31 Aug 2018 10:16:41 -0400
Message-ID: <CAL02cgTLEMAMZQicNvXzQrRnGeemrUojmGe_8r=e_YZCNazdsQ@mail.gmail.com>
To: Felipe Gasper <felipe@felipegasper.com>
Cc: IETF ACME <acme@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000d408e20574bbd7a1"
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/CdGB0CkRWd3QGLCcX7fzmhoqC7g>
Subject: Re: [Acme] ACME breaking change: Most GETs become POSTs
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 31 Aug 2018 14:16:57 -0000

TBH, I'm not averse to allowing GETs for certificate resources.  It seems
analogous to allowing them for the directory resource, just on the opposite
side of the process.  That is, the directory and certificate resources are
the interfaces between ACME and the outside world, so it makes sense not to
force the outside world into the ACME authentication model.  In the same
vein, capability URLs could be sensible here as an optional protection,
since they're an authn model that's easy for the outside world to use.

In addition, the content of certificate resources is tightly constrained,
so we don't have the problem that we have with the JSON resources, that a
server might add some information that violates privacy expectations.

So I would propose that we say:

- GETs are allowed for directory, newNonce, and certificate resources
- Servers MUST still respond to POST-as-GET requests for certificates, to
simplify client logic
- If a server is concerned about the privacy of certificate resources, then
they SHOULD assign them capability URLs.

I'll be updating the PR to reflect some comments in Github a little later
today, and will incorporate the above unless people think it's awful.

--Richard

On Thu, Aug 30, 2018 at 8:46 PM Felipe Gasper <felipe@felipegasper.com>
wrote:

>
>
> > On Aug 30, 2018, at 7:48 PM, Jacob Hoffman-Andrews <jsha@eff.org> wrote:
> >
> > (Replying to Felipe's comment from the thread "Re: [Acme] Adam Roach's
> Discuss on draft-ietf-acme-acme-14: (with DISCUSS and COMMENT)")
> >
> > On 08/30/2018 11:17 AM, Felipe Gasper wrote:
> > > Would it work to keep certificate fetches as plain GET?
> > >
> > > In shared hosting environments it’s common for a privileged process to
> request certificates on behalf of user accounts. This avoids having 1,000s
> of ACME server registrations from a single server. While certificates are
> generally made available within seconds, theoretically the delay between
> request and issuance could be much longer (e.g., for OV/EV), such that it
> might be prudent for that privileged process to give the order ID to the
> user and have the user poll for the certificate, e.g., via cron.
> >
> > This use case makes sense, but I think it is not critical enough to
> carve out an exception from the "GETs become POSTs" plan. If the ACME
> implementation structures certificate fetches such that they are
> enumerable, you would wind up again with the same sort of correlation
> problem Adam brought up. You could make the certificate URLs unpredictable,
> but then you've introduced a notion of capability URLs[1], which breaks the
> notion of having a single authentication system for ACME.
>
> I suppose if I have:
>
> GET /order/123/certificate    =>   cert for yin.com
>
> GET /order/124/certificate    =>   cert for yang.com
>
> … then one could surmise (however justifiably) that these two may be
> related, so I see the point.
>
> > You could make the certificate URLs unpredictable, but then you've
> introduced a notion of capability URLs[1], which breaks the notion of
> having a single authentication system for ACME.
>
> I can see that.
>
>
> Thanks for your consideration!
>
> -FG
> _______________________________________________
> Acme mailing list
> Acme@ietf.org
> https://www.ietf.org/mailman/listinfo/acme
>

v2.23.0 | Report a Bug | By Email