Re: [Acme] Adam Roach's Discuss on draft-ietf-acme-acme-14: (with DISCUSS and COMMENT)
Adam Roach <adam@nostrum.com> Thu, 30 August 2018 13:34 UTC
Return-Path: <adam@nostrum.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 38E50130E6F; Thu, 30 Aug 2018 06:34:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.879
X-Spam-Level:
X-Spam-Status: No, score=-1.879 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_SPF_HELO_PERMERROR=0.01, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aoJ2BfMTigcl; Thu, 30 Aug 2018 06:34:49 -0700 (PDT)
Received: from nostrum.com (raven-v6.nostrum.com [IPv6:2001:470:d:1130::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C3F8D130DEB; Thu, 30 Aug 2018 06:34:49 -0700 (PDT)
Received: from Svantevit.roach.at (99-152-146-228.lightspeed.dllstx.sbcglobal.net [99.152.146.228]) (authenticated bits=0) by nostrum.com (8.15.2/8.15.2) with ESMTPSA id w7UDYlYj044934 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Thu, 30 Aug 2018 08:34:48 -0500 (CDT) (envelope-from adam@nostrum.com)
X-Authentication-Warning: raven.nostrum.com: Host 99-152-146-228.lightspeed.dllstx.sbcglobal.net [99.152.146.228] claimed to be Svantevit.roach.at
To: Richard Barnes <rlb@ipv.sx>
Cc: The IESG <iesg@ietf.org>, draft-ietf-acme-acme@ietf.org, Yoav Nir <ynir.ietf@gmail.com>, "<acme-chairs@ietf.org>" <acme-chairs@ietf.org>, IETF ACME <acme@ietf.org>
References: <153560463159.14901.5253843942494748934.idtracker@ietfa.amsl.com> <CAL02cgS0_d5qfraPoN2rmrZ9qGqmVdGdHu_a8knNkFcD1kcwpQ@mail.gmail.com>
From: Adam Roach <adam@nostrum.com>
Message-ID: <8b419e1e-1bea-a1c3-159f-ad049a6c113e@nostrum.com>
Date: Thu, 30 Aug 2018 08:34:41 -0500
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:60.0) Gecko/20100101 Thunderbird/60.0
MIME-Version: 1.0
In-Reply-To: <CAL02cgS0_d5qfraPoN2rmrZ9qGqmVdGdHu_a8knNkFcD1kcwpQ@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/OuZJBJxWaeU_qQSJjqybU6TR1yw>
Subject: Re: [Acme] Adam Roach's Discuss on draft-ietf-acme-acme-14: (with DISCUSS and COMMENT)
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Aug 2018 13:34:51 -0000
On 8/30/18 7:55 AM, Richard Barnes wrote: > Focusing on DISCUSS comment for now, will pick up COMMENTs later. > > On your DISCUSS, I think you're off on a couple of small things Yeah, I woke up with the sudden realization that I'd had the wrong model in my head when I talked through the cert endpoint. All that's there is a signed public cert rather than a public/private pair, so it's not sensitive. > , but right on the underlying point that the document doesn't really > provide any guidance as to which resources a server should consider > sensitive. I agree that it would be good to say more, and I've > started up a PR for this. > > https://github.com/ietf-wg-acme/acme/pull/443 Thanks -- that fixes the text I cite. > > I don't agree that sensitivity entails a need for non-guessable URLs. > If accessing the URL requires authentication, then it doesn't matter > if someone can guess it; unauthorized people can't access it even if > they can guess it. I guess you could argue that if you made a random > URL and only distributed it in authenticated channels, then you could > allow GETs to it, using the URL itself as an authenticator. But that > seems super brittle; I would rather just have all the authentication > be based on signing. So at best, random URLs are a backstop against a > CA making the wrong decision about GETs. Yup, that seems better. > > You're also correct to note that some resources might be sensitive > that we now instruct clients to poll with GETs. For example, the > client is supposed to poll an authorization resource to see when it > validates, but if the authz has a TN in it and so is considered > sensitive, you won't be able to do a GET. I think the right answer > here is to have the server return 405 Method Not Allowed if it gets a > GET and have the client fall back to an authenticated "POST {}", which > should be equivalent to a GET in all cases. That seems like a good clarification. The one remaining issue is the table at the bottom of §7.1, which shows GETs for resources that the new text says CAs might consider sensitive. I catch the "might" in that sentence, but it seems that identification correlation is a pretty powerful privacy leak, and would strongly suggest that the table be revised to show POSTs for retrieval of order resources. Whether you take this suggestion is up to you -- I'll clear my DISCUSS either way. /a
- [Acme] Adam Roach's Discuss on draft-ietf-acme-ac… Adam Roach
- Re: [Acme] Adam Roach's Discuss on draft-ietf-acm… Richard Barnes
- Re: [Acme] Adam Roach's Discuss on draft-ietf-acm… Adam Roach
- Re: [Acme] Adam Roach's Discuss on draft-ietf-acm… Felix Fontein
- Re: [Acme] Adam Roach's Discuss on draft-ietf-acm… Salz, Rich
- Re: [Acme] Adam Roach's Discuss on draft-ietf-acm… Adam Roach
- Re: [Acme] Adam Roach's Discuss on draft-ietf-acm… Richard Barnes
- Re: [Acme] Adam Roach's Discuss on draft-ietf-acm… Salz, Rich
- Re: [Acme] Adam Roach's Discuss on draft-ietf-acm… Felipe Gasper
- Re: [Acme] Adam Roach's Discuss on draft-ietf-acm… Richard Barnes
- Re: [Acme] Adam Roach's Discuss on draft-ietf-acm… Fossati, Thomas (Nokia - GB/Cambridge)
- Re: [Acme] Adam Roach's Discuss on draft-ietf-acm… Richard Barnes
- Re: [Acme] Adam Roach's Discuss on draft-ietf-acm… Richard Barnes