Re: [Acme] ACME breaking change: Most GETs become POSTs
Adam Roach <adam@nostrum.com> Thu, 06 September 2018 15:13 UTC
Return-Path: <adam@nostrum.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CABB2130E99; Thu, 6 Sep 2018 08:13:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.879
X-Spam-Level:
X-Spam-Status: No, score=-1.879 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_SPF_HELO_PERMERROR=0.01, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WHVQuk4h99Pr; Thu, 6 Sep 2018 08:13:39 -0700 (PDT)
Received: from nostrum.com (raven-v6.nostrum.com [IPv6:2001:470:d:1130::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 630C3130E92; Thu, 6 Sep 2018 08:13:39 -0700 (PDT)
Received: from Svantevit.roach.at (99-152-146-228.lightspeed.dllstx.sbcglobal.net [99.152.146.228]) (authenticated bits=0) by nostrum.com (8.15.2/8.15.2) with ESMTPSA id w86FDbsV044024 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Thu, 6 Sep 2018 10:13:38 -0500 (CDT) (envelope-from adam@nostrum.com)
X-Authentication-Warning: raven.nostrum.com: Host 99-152-146-228.lightspeed.dllstx.sbcglobal.net [99.152.146.228] claimed to be Svantevit.roach.at
To: Richard Barnes <rlb@ipv.sx>, IETF ACME <acme@ietf.org>
Cc: "<acme-chairs@ietf.org>" <acme-chairs@ietf.org>, Eric Rescorla <ekr@rtfm.com>
References: <c33184f3-4e64-b7ea-babb-d29e2307f1f3@eff.org> <CAL02cgQ1BAzYH4f1nUD3fO0dKTc4mVrJ_NnoKq+Zb0BjT9J35Q@mail.gmail.com> <CAL02cgTDMqQ0jPojqUBAVBW=TRFGU0_ntfcLGUsTbPtvfitDKQ@mail.gmail.com>
From: Adam Roach <adam@nostrum.com>
Message-ID: <069a869f-e2c8-89ec-2642-4d67e256963f@nostrum.com>
Date: Thu, 06 Sep 2018 10:13:32 -0500
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:60.0) Gecko/20100101 Thunderbird/60.0
MIME-Version: 1.0
In-Reply-To: <CAL02cgTDMqQ0jPojqUBAVBW=TRFGU0_ntfcLGUsTbPtvfitDKQ@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/ObHZFfzh_zeBx_Li1tTN0zSKAjs>
Subject: Re: [Acme] ACME breaking change: Most GETs become POSTs
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Sep 2018 15:13:41 -0000
On 9/6/18 10:02 AM, Richard Barnes wrote:
> After the weekend's discussions, I've updated the PR to reflect what I
> understand to be emerging agreement on these topics:
>
> ISSUE 1. Should we do POST-as-GET at all, vs. keeping GET and doing
> the privacy analysis?
> PROPOSED RESOLUTION: Yes.
>
> ISSUE 2: How should we signal that POST-as-GET request is different
> from other POST requests?
> PROPOSED RESOLUTION: A JWS with a zero-octet payload ("")
>
> ISSUE 3: Should servers be required to allow GET requests for
> certificate URLs?
> PROPOSED RESOLUTION: No, but they MAY
>
> ISSUE 4: How should we address the risk that an attacker can discover
> URLs by probing for Unauthorized vs. Not Found?
> PROPOSED RESOLUTION: Security considerations that recommend
> non-correlatable URL plans
>
> https://github.com/ietf-wg-acme/acme/pull/445
>
> Adam: Is this looking like an approach that would satisfy your DISCUSS?
Yes, it would. Thanks to everyone for moving so quickly on this. (n.b.:
I glanced at the PR, but did not review it in detail. I leave it to the
WG, its chairs, and the sponsoring AD to ensure the document is
consistent and reflects consensus.)
/a
- [Acme] ACME breaking change: Most GETs become POS… Jacob Hoffman-Andrews
- Re: [Acme] ACME breaking change: Most GETs become… Jacob Hoffman-Andrews
- Re: [Acme] ACME breaking change: Most GETs become… Adam Roach
- Re: [Acme] ACME breaking change: Most GETs become… Felipe Gasper
- Re: [Acme] ACME breaking change: Most GETs become… Richard Barnes
- Re: [Acme] ACME breaking change: Most GETs become… Salz, Rich
- Re: [Acme] ACME breaking change: Most GETs become… Felipe Gasper
- Re: [Acme] ACME breaking change: Most GETs become… Richard Barnes
- Re: [Acme] ACME breaking change: Most GETs become… Richard Barnes
- Re: [Acme] ACME breaking change: Most GETs become… Salz, Rich
- Re: [Acme] ACME breaking change: Most GETs become… Nico Williams
- Re: [Acme] ACME breaking change: Most GETs become… Tim Hollebeek
- Re: [Acme] ACME breaking change: Most GETs become… Richard Barnes
- Re: [Acme] ACME breaking change: Most GETs become… Salz, Rich
- Re: [Acme] ACME breaking change: Most GETs become… Richard Barnes
- Re: [Acme] ACME breaking change: Most GETs become… Daniel McCarney
- Re: [Acme] ACME breaking change: Most GETs become… Jacob Hoffman-Andrews
- Re: [Acme] ACME breaking change: Most GETs become… Daniel McCarney
- Re: [Acme] ACME breaking change: Most GETs become… Daniel McCarney
- Re: [Acme] ACME breaking change: Most GETs become… Nico Williams
- Re: [Acme] ACME breaking change: Most GETs become… Daniel McCarney
- Re: [Acme] ACME breaking change: Most GETs become… Nico Williams
- Re: [Acme] ACME breaking change: Most GETs become… Richard Barnes
- Re: [Acme] ACME breaking change: Most GETs become… Jacob Hoffman-Andrews
- Re: [Acme] ACME breaking change: Most GETs become… Richard Barnes
- Re: [Acme] ACME breaking change: Most GETs become… Adam Roach
- Re: [Acme] ACME breaking change: Most GETs become… Eric Rescorla
- Re: [Acme] ACME breaking change: Most GETs become… Jacob Hoffman-Andrews
- Re: [Acme] ACME breaking change: Most GETs become… Adam Roach
- Re: [Acme] ACME breaking change: Most GETs become… Nico Williams
- Re: [Acme] ACME breaking change: Most GETs become… Richard Barnes
- Re: [Acme] ACME breaking change: Most GETs become… Richard Barnes
- Re: [Acme] ACME breaking change: Most GETs become… Richard Barnes
- Re: [Acme] ACME breaking change: Most GETs become… Felix Fontein
- Re: [Acme] ACME breaking change: Most GETs become… Yaron Sheffer
- Re: [Acme] ACME breaking change: Most GETs become… Jacob Hoffman-Andrews
- Re: [Acme] ACME breaking change: Most GETs become… Richard Barnes
- Re: [Acme] ACME breaking change: Most GETs become… Adam Roach
- Re: [Acme] ACME breaking change: Most GETs become… Salz, Rich
- Re: [Acme] ACME breaking change: Most GETs become… Eric Rescorla
- Re: [Acme] ACME breaking change: Most GETs become… Erica Portnoy
- Re: [Acme] ACME breaking change: Most GETs become… Alan Doherty
- Re: [Acme] ACME breaking change: Most GETs become… Erica Portnoy
- Re: [Acme] ACME breaking change: Most GETs become… Adam Roach
- Re: [Acme] ACME breaking change: Most GETs become… Alan Doherty