Re: [Acme] ACME breaking change: Most GETs become POSTs
Nico Williams <nico@cryptonector.com> Fri, 31 August 2018 15:15 UTC
Return-Path: <nico@cryptonector.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6D979130E78 for <acme@ietfa.amsl.com>; Fri, 31 Aug 2018 08:15:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.03
X-Spam-Level:
X-Spam-Status: No, score=0.03 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_MSPIKE_BL=0.01, RCVD_IN_MSPIKE_L5=2.02] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cryptonector.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cv30PPvLVbAx for <acme@ietfa.amsl.com>; Fri, 31 Aug 2018 08:15:54 -0700 (PDT)
Received: from pdx1-sub0-mail-a2.g.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C169D130E89 for <acme@ietf.org>; Fri, 31 Aug 2018 08:15:54 -0700 (PDT)
Received: from pdx1-sub0-mail-a2.g.dreamhost.com (localhost [127.0.0.1]) by pdx1-sub0-mail-a2.g.dreamhost.com (Postfix) with ESMTP id 2107381433; Fri, 31 Aug 2018 08:15:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to:content-transfer-encoding; s= cryptonector.com; bh=InlZUiFTthaQysTBl8O1vPGllEg=; b=BZDELU8xD4C 9cI8iJTy/hJYucdDEMAme7WUEoLJhfe4iXdG8Ovkt/lFPZkETtpibmCcj0aGHjto QXFFLGDr8Qsu1wotyCHitZdDAWe3xsfzqFGYhxHzyrVaN0/rWSn2VF58L0H6goXC 5QBiPmWXwf+HjQOp1f54S+6eUnv02s+g=
Received: from localhost (unknown [24.28.108.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by pdx1-sub0-mail-a2.g.dreamhost.com (Postfix) with ESMTPSA id B10BF81432; Fri, 31 Aug 2018 08:15:53 -0700 (PDT)
Date: Fri, 31 Aug 2018 10:15:51 -0500
From: Nico Williams <nico@cryptonector.com>
To: Felipe Gasper <felipe@felipegasper.com>
Cc: ACME WG <acme@ietf.org>
Message-ID: <20180831151550.GC10368@localhost>
References: <c33184f3-4e64-b7ea-babb-d29e2307f1f3@eff.org> <2a889461-da9e-d3bd-e5a8-688eda61c614@eff.org> <51509028-1939-4851-8BB5-41F94FA146A1@felipegasper.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <51509028-1939-4851-8BB5-41F94FA146A1@felipegasper.com>
User-Agent: Mutt/1.5.24 (2015-08-30)
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/R5wfHn1LGTBV74T8llb0dNxyeQc>
Subject: Re: [Acme] ACME breaking change: Most GETs become POSTs
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 31 Aug 2018 15:16:02 -0000
On Thu, Aug 30, 2018 at 08:45:50PM -0400, Felipe Gasper wrote: > I suppose if I have: > > GET /order/123/certificate => cert for yin.com > > GET /order/124/certificate => cert for yang.com > > … then one could surmise (however justifiably) that these two may be related, so I see the point. If these numbers are certificate serial numbers, then by all means they must be randomized. Even if not, predictable, serial account-number- like numbers should not be part of a URL without some other component to make URL generation unpredictable. > > You could make the certificate URLs unpredictable, but then you've > > introduced a notion of capability URLs[1], which breaks the notion > > of having a single authentication system for ACME. > > I can see that. Eh? Just because they are randomized / unpredictable does not mean that they are capability URLs or confidentiality-sensitive, nor that they must be one-time-use only. Nico --
- [Acme] ACME breaking change: Most GETs become POS… Jacob Hoffman-Andrews
- Re: [Acme] ACME breaking change: Most GETs become… Jacob Hoffman-Andrews
- Re: [Acme] ACME breaking change: Most GETs become… Adam Roach
- Re: [Acme] ACME breaking change: Most GETs become… Felipe Gasper
- Re: [Acme] ACME breaking change: Most GETs become… Richard Barnes
- Re: [Acme] ACME breaking change: Most GETs become… Salz, Rich
- Re: [Acme] ACME breaking change: Most GETs become… Felipe Gasper
- Re: [Acme] ACME breaking change: Most GETs become… Richard Barnes
- Re: [Acme] ACME breaking change: Most GETs become… Richard Barnes
- Re: [Acme] ACME breaking change: Most GETs become… Salz, Rich
- Re: [Acme] ACME breaking change: Most GETs become… Nico Williams
- Re: [Acme] ACME breaking change: Most GETs become… Tim Hollebeek
- Re: [Acme] ACME breaking change: Most GETs become… Richard Barnes
- Re: [Acme] ACME breaking change: Most GETs become… Salz, Rich
- Re: [Acme] ACME breaking change: Most GETs become… Richard Barnes
- Re: [Acme] ACME breaking change: Most GETs become… Daniel McCarney
- Re: [Acme] ACME breaking change: Most GETs become… Jacob Hoffman-Andrews
- Re: [Acme] ACME breaking change: Most GETs become… Daniel McCarney
- Re: [Acme] ACME breaking change: Most GETs become… Daniel McCarney
- Re: [Acme] ACME breaking change: Most GETs become… Nico Williams
- Re: [Acme] ACME breaking change: Most GETs become… Daniel McCarney
- Re: [Acme] ACME breaking change: Most GETs become… Nico Williams
- Re: [Acme] ACME breaking change: Most GETs become… Richard Barnes
- Re: [Acme] ACME breaking change: Most GETs become… Jacob Hoffman-Andrews
- Re: [Acme] ACME breaking change: Most GETs become… Richard Barnes
- Re: [Acme] ACME breaking change: Most GETs become… Adam Roach
- Re: [Acme] ACME breaking change: Most GETs become… Eric Rescorla
- Re: [Acme] ACME breaking change: Most GETs become… Jacob Hoffman-Andrews
- Re: [Acme] ACME breaking change: Most GETs become… Adam Roach
- Re: [Acme] ACME breaking change: Most GETs become… Nico Williams
- Re: [Acme] ACME breaking change: Most GETs become… Richard Barnes
- Re: [Acme] ACME breaking change: Most GETs become… Richard Barnes
- Re: [Acme] ACME breaking change: Most GETs become… Richard Barnes
- Re: [Acme] ACME breaking change: Most GETs become… Felix Fontein
- Re: [Acme] ACME breaking change: Most GETs become… Yaron Sheffer
- Re: [Acme] ACME breaking change: Most GETs become… Jacob Hoffman-Andrews
- Re: [Acme] ACME breaking change: Most GETs become… Richard Barnes
- Re: [Acme] ACME breaking change: Most GETs become… Adam Roach
- Re: [Acme] ACME breaking change: Most GETs become… Salz, Rich
- Re: [Acme] ACME breaking change: Most GETs become… Eric Rescorla
- Re: [Acme] ACME breaking change: Most GETs become… Erica Portnoy
- Re: [Acme] ACME breaking change: Most GETs become… Alan Doherty
- Re: [Acme] ACME breaking change: Most GETs become… Erica Portnoy
- Re: [Acme] ACME breaking change: Most GETs become… Adam Roach
- Re: [Acme] ACME breaking change: Most GETs become… Alan Doherty