IETF Logo Mail Archive

Re: [Acme] Adam Roach's Discuss on draft-ietf-acme-acme-14: (with DISCUSS and COMMENT)

Adam Roach <adam@nostrum.com> Thu, 30 August 2018 13:34 UTC

Return-Path: <adam@nostrum.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 38E50130E6F; Thu, 30 Aug 2018 06:34:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.879
X-Spam-Level:
X-Spam-Status: No, score=-1.879 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_SPF_HELO_PERMERROR=0.01, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aoJ2BfMTigcl; Thu, 30 Aug 2018 06:34:49 -0700 (PDT)
Received: from nostrum.com (raven-v6.nostrum.com [IPv6:2001:470:d:1130::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C3F8D130DEB; Thu, 30 Aug 2018 06:34:49 -0700 (PDT)
Received: from Svantevit.roach.at (99-152-146-228.lightspeed.dllstx.sbcglobal.net [99.152.146.228]) (authenticated bits=0) by nostrum.com (8.15.2/8.15.2) with ESMTPSA id w7UDYlYj044934 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Thu, 30 Aug 2018 08:34:48 -0500 (CDT) (envelope-from adam@nostrum.com)
X-Authentication-Warning: raven.nostrum.com: Host 99-152-146-228.lightspeed.dllstx.sbcglobal.net [99.152.146.228] claimed to be Svantevit.roach.at
To: Richard Barnes <rlb@ipv.sx>
Cc: The IESG <iesg@ietf.org>, draft-ietf-acme-acme@ietf.org, Yoav Nir <ynir.ietf@gmail.com>, "<acme-chairs@ietf.org>" <acme-chairs@ietf.org>, IETF ACME <acme@ietf.org>
References: <153560463159.14901.5253843942494748934.idtracker@ietfa.amsl.com> <CAL02cgS0_d5qfraPoN2rmrZ9qGqmVdGdHu_a8knNkFcD1kcwpQ@mail.gmail.com>
From: Adam Roach <adam@nostrum.com>
Message-ID: <8b419e1e-1bea-a1c3-159f-ad049a6c113e@nostrum.com>
Date: Thu, 30 Aug 2018 08:34:41 -0500
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:60.0) Gecko/20100101 Thunderbird/60.0
MIME-Version: 1.0
In-Reply-To: <CAL02cgS0_d5qfraPoN2rmrZ9qGqmVdGdHu_a8knNkFcD1kcwpQ@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/OuZJBJxWaeU_qQSJjqybU6TR1yw>
Subject: Re: [Acme] Adam Roach's Discuss on draft-ietf-acme-acme-14: (with DISCUSS and COMMENT)
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Aug 2018 13:34:51 -0000

On 8/30/18 7:55 AM, Richard Barnes wrote:
> Focusing on DISCUSS comment for now, will pick up COMMENTs later.
>
> On your DISCUSS, I think you're off on a couple of small things


Yeah, I woke up with the sudden realization that I'd had the wrong model 
in my head when I talked through the cert endpoint. All that's there is 
a signed public cert rather than a public/private pair, so it's not 
sensitive.


> , but right on the underlying point that the document doesn't really 
> provide any guidance as to which resources a server should consider 
> sensitive.  I agree that it would be good to say more, and I've 
> started up a PR for this.
>
> https://github.com/ietf-wg-acme/acme/pull/443


Thanks -- that fixes the text I cite.


>
> I don't agree that sensitivity entails a need for non-guessable URLs.  
> If accessing the URL requires authentication, then it doesn't matter 
> if someone can guess it; unauthorized people can't access it even if 
> they can guess it.  I guess you could argue that if you made a random 
> URL and only distributed it in authenticated channels, then you could 
> allow GETs to it, using the URL itself as an authenticator.  But that 
> seems super brittle; I would rather just have all the authentication 
> be based on signing.  So at best, random URLs are a backstop against a 
> CA making the wrong decision about GETs.


Yup, that seems better.


>
> You're also correct to note that some resources might be sensitive 
> that we now instruct clients to poll with GETs. For example, the 
> client is supposed to poll an authorization resource to see when it 
> validates, but if the authz has a TN in it and so is considered 
> sensitive, you won't be able to do a GET.  I think the right answer 
> here is to have the server return 405 Method Not Allowed if it gets a 
> GET and have the client fall back to an authenticated "POST {}", which 
> should be equivalent to a GET in all cases.


That seems like a good clarification. The one remaining issue is the 
table at the bottom of §7.1, which shows GETs for resources that the new 
text says CAs might consider sensitive. I catch the "might" in that 
sentence, but it seems that identification correlation is a pretty 
powerful privacy leak, and would strongly suggest that the table be 
revised to show POSTs for retrieval of order resources. Whether you take 
this suggestion is up to you -- I'll clear my DISCUSS either way.

/a

v2.23.0 | Report a Bug | By Email