IETF Logo Mail Archive

Re: [Acme] ACME breaking change: Most GETs become POSTs

Felipe Gasper <felipe@felipegasper.com> Fri, 31 August 2018 14:22 UTC

Return-Path: <felipe@felipegasper.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 43AD7130DEB for <acme@ietfa.amsl.com>; Fri, 31 Aug 2018 07:22:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=felipegasper.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZSWnyZAN8JVy for <acme@ietfa.amsl.com>; Fri, 31 Aug 2018 07:21:58 -0700 (PDT)
Received: from web1.siteocity.com (web1.siteocity.com [67.227.147.204]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0A1F41271FF for <acme@ietf.org>; Fri, 31 Aug 2018 07:21:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=felipegasper.com; s=default; h=To:References:Message-Id: Content-Transfer-Encoding:Cc:Date:In-Reply-To:From:Subject:Mime-Version: Content-Type:Sender:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=AyWAxokMOedAJZxnDyXim0nkyr0BGYWiCgWBOOVcJ0w=; b=l3feiFDfvPXfHnleW17H9Wmng tJms+3qIg+RVmXIYwYk45DlQMM4F47Uw38CH8oRgJe3Y6W33LZC7MZHryUfjuD5HElKISiD72BPod jF3vwabVqTfNO0uzOBfgxO6+B+kd9OyUyeL0ejGfR6H1p9vdWxhMqmAdR9xGtypr602N4uCFVqkfj ZU7ns5RJvWwkOtTGOT2unbIUkJnWyST1D2PV73+ru2oy7P92mfPDVh9j7CwEgTUBXlElNcLCoq0YU hbe4Fc3pK3k20zJGl7SB1UYtY5VQ+xU3pr68L+T6ZOEZ4hF0Pgj1M3Y1KT88yUwlCI3hEPGUX8RAt iEAuDv7pg==;
Received: from cpe9050cab50823-cm9050cab50820.cpe.net.cable.rogers.com ([99.248.56.67]:50097 helo=[192.168.0.14]) by web1.siteocity.com with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.91) (envelope-from <felipe@felipegasper.com>) id 1fvkJ6-003qVm-Ua; Fri, 31 Aug 2018 09:21:56 -0500
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
From: Felipe Gasper <felipe@felipegasper.com>
In-Reply-To: <CAL02cgTLEMAMZQicNvXzQrRnGeemrUojmGe_8r=e_YZCNazdsQ@mail.gmail.com>
Date: Fri, 31 Aug 2018 10:21:52 -0400
Cc: IETF ACME <acme@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <4C101EA2-5930-4FB1-8574-C4EE4DCCF61B@felipegasper.com>
References: <c33184f3-4e64-b7ea-babb-d29e2307f1f3@eff.org> <2a889461-da9e-d3bd-e5a8-688eda61c614@eff.org> <51509028-1939-4851-8BB5-41F94FA146A1@felipegasper.com> <CAL02cgTLEMAMZQicNvXzQrRnGeemrUojmGe_8r=e_YZCNazdsQ@mail.gmail.com>
To: Richard Barnes <rlb@ipv.sx>
X-Mailer: Apple Mail (2.3445.9.1)
X-OutGoing-Spam-Status: No, score=-1.0
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - web1.siteocity.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - felipegasper.com
X-Get-Message-Sender-Via: web1.siteocity.com: authenticated_id: fgasper/from_h
X-Authenticated-Sender: web1.siteocity.com: felipe@felipegasper.com
X-Source:
X-Source-Args:
X-Source-Dir:
X-From-Rewrite: unmodified, already matched
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/L4Q78HQoUIqCTa7u9ecbX9fNC8A>
Subject: Re: [Acme] ACME breaking change: Most GETs become POSTs
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 31 Aug 2018 14:22:00 -0000

I wonder, then, if it’s worth making it discoverable whether the server allows a plain GET for a certificate … other than, of course, getting a 405 back when the client tries to request a certificate via GET.

-F

> On Aug 31, 2018, at 10:16 AM, Richard Barnes <rlb@ipv.sx> wrote:
> 
> TBH, I'm not averse to allowing GETs for certificate resources.  It seems analogous to allowing them for the directory resource, just on the opposite side of the process.  That is, the directory and certificate resources are the interfaces between ACME and the outside world, so it makes sense not to force the outside world into the ACME authentication model.  In the same vein, capability URLs could be sensible here as an optional protection, since they're an authn model that's easy for the outside world to use.
> 
> In addition, the content of certificate resources is tightly constrained, so we don't have the problem that we have with the JSON resources, that a server might add some information that violates privacy expectations.
> 
> So I would propose that we say:
> 
> - GETs are allowed for directory, newNonce, and certificate resources
> - Servers MUST still respond to POST-as-GET requests for certificates, to simplify client logic
> - If a server is concerned about the privacy of certificate resources, then they SHOULD assign them capability URLs.
> 
> I'll be updating the PR to reflect some comments in Github a little later today, and will incorporate the above unless people think it's awful.
> 
> --Richard
> 
> On Thu, Aug 30, 2018 at 8:46 PM Felipe Gasper <felipe@felipegasper.com> wrote:
> 
> 
> > On Aug 30, 2018, at 7:48 PM, Jacob Hoffman-Andrews <jsha@eff.org> wrote:
> > 
> > (Replying to Felipe's comment from the thread "Re: [Acme] Adam Roach's Discuss on draft-ietf-acme-acme-14: (with DISCUSS and COMMENT)")
> > 
> > On 08/30/2018 11:17 AM, Felipe Gasper wrote:
> > > Would it work to keep certificate fetches as plain GET?
> > >
> > > In shared hosting environments it’s common for a privileged process to request certificates on behalf of user accounts. This avoids having 1,000s of ACME server registrations from a single server. While certificates are generally made available within seconds, theoretically the delay between request and issuance could be much longer (e.g., for OV/EV), such that it might be prudent for that privileged process to give the order ID to the user and have the user poll for the certificate, e.g., via cron.
> > 
> > This use case makes sense, but I think it is not critical enough to carve out an exception from the "GETs become POSTs" plan. If the ACME implementation structures certificate fetches such that they are enumerable, you would wind up again with the same sort of correlation problem Adam brought up. You could make the certificate URLs unpredictable, but then you've introduced a notion of capability URLs[1], which breaks the notion of having a single authentication system for ACME.
> 
> I suppose if I have:
> 
> GET /order/123/certificate    =>   cert for yin.com
> 
> GET /order/124/certificate    =>   cert for yang.com
> 
> … then one could surmise (however justifiably) that these two may be related, so I see the point.
> 
> > You could make the certificate URLs unpredictable, but then you've introduced a notion of capability URLs[1], which breaks the notion of having a single authentication system for ACME.
> 
> I can see that.
> 
> 
> Thanks for your consideration!
> 
> -FG
> _______________________________________________
> Acme mailing list
> Acme@ietf.org
> https://www.ietf.org/mailman/listinfo/acme

v2.23.0 | Report a Bug | By Email