Re: [Acme] Pre-authorization approach
Jacob Hoffman-Andrews <jsha@eff.org> Wed, 10 August 2016 01:09 UTC
Return-Path: <jsha@eff.org>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3ACC312B02F for <acme@ietfa.amsl.com>; Tue, 9 Aug 2016 18:09:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.249
X-Spam-Level:
X-Spam-Status: No, score=-8.249 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-1.247, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=eff.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id flrylFNLfYKR for <acme@ietfa.amsl.com>; Tue, 9 Aug 2016 18:09:48 -0700 (PDT)
Received: from mail2.eff.org (mail2.eff.org [173.239.79.204]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5619812B012 for <acme@ietf.org>; Tue, 9 Aug 2016 18:09:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=eff.org; s=mail2; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:MIME-Version:Date:Message-ID:From:References:To:Subject; bh=p6/+jDAthBo6XbdF16pyAmmI2YNKZjS08tsSheSVzZw=; b=iByjsLJXthj7F33CYchDBjmBPhqN4JOa+RY1NtEO8EgWADeB0XgdqMsTL6wqwbiUV7XJi2dWuZ5ZLceHoB5zeDzTx84WUV4eTlmWuiZ9henxI1bWtaqBG+nMhh4A+bUVCkoDfwFJc4UKPTBhwIFKauCwiY9qc2em5I7MpuiRSKQ=;
Received: ; Tue, 09 Aug 2016 18:09:48 -0700
To: acme@ietf.org
References: <CAL02cgT04cy2TMZ3Tb56-S-ChZq6+6vZGubQC9wXknyP8xzkJQ@mail.gmail.com> <db322e3c-8206-99e1-f976-affb48f0f5d1@eff.org> <20160809132304.6b6b995cf7962173c98eec94@andrewayer.name> <e91ca701-73c3-8d30-5305-4f534be051a2@eff.org> <20160809172736.41e7b6187c20956a46357dac@andrewayer.name>
From: Jacob Hoffman-Andrews <jsha@eff.org>
Message-ID: <e952bb90-1dd8-f1b7-86a1-ce6facfa8c05@eff.org>
Date: Tue, 09 Aug 2016 18:09:42 -0700
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0
MIME-Version: 1.0
In-Reply-To: <20160809172736.41e7b6187c20956a46357dac@andrewayer.name>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/U3z05z4EYrcQYYavBiVSrOJFvpg>
Subject: Re: [Acme] Pre-authorization approach
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Aug 2016 01:09:49 -0000
On 08/09/2016 05:27 PM, Andrew Ayer wrote: > This means that clients can't rely on the server offering this > endpoint. Although there is a risk of half-baked implementations > assuming all servers support it, it seems unlikely that many would make > this mistake. All clients have to go through the new-app workflow > anyways, and it's easier to just let the server create authorizations for > you. I disagree that the risk of half-baked clients. Experience shows that if something works, some clients will do it, and will break if it's not available. This is exacerbated by the fact that the new-authz flow most closely matches the flow currently implemented in Boulder and used by existing ACME clients. So the reasonable and safe thing for a client maintainer to do would be to keep using new-authz if Let's Encrypt continues to offer it. I think the only way to make sure the ecosystem of ACME clients is actually interoperable with servers that don't implement new-authz is for Let's Encrypt not to implement new-authz in its next API revision. Which is reasonable, but it means that EKR's issue goes unaddressed.
- Re: [Acme] Pre-authorization approach Jacob Hoffman-Andrews
- Re: [Acme] Pre-authorization approach Andrew Ayer
- Re: [Acme] Pre-authorization approach Jacob Hoffman-Andrews
- Re: [Acme] Pre-authorization approach Andrew Ayer
- Re: [Acme] Pre-authorization approach Jacob Hoffman-Andrews
- Re: [Acme] Pre-authorization approach Salz, Rich
- Re: [Acme] Pre-authorization approach Peter Bowen
- Re: [Acme] Pre-authorization approach Jacob Hoffman-Andrews
- Re: [Acme] Pre-authorization approach Richard Barnes
- Re: [Acme] Pre-authorization approach Eric Rescorla
- Re: [Acme] Pre-authorization approach Richard Barnes
- Re: [Acme] Pre-authorization approach Richard Barnes
- Re: [Acme] Pre-authorization approach Patrick Figel
- Re: [Acme] Pre-authorization approach Ilari Liusvaara
- Re: [Acme] Pre-authorization approach Niklas Keller
- Re: [Acme] Pre-authorization approach Eric Rescorla
- Re: [Acme] Pre-authorization approach Andrew Ayer
- [Acme] Pre-authorization approach Richard Barnes
- Re: [Acme] Pre-authorization approach Richard Barnes
- Re: [Acme] Pre-authorization approach Salz, Rich
- Re: [Acme] Pre-authorization approach Roland Bracewell Shoemaker
- Re: [Acme] Pre-authorization approach Eric Rescorla
- Re: [Acme] Pre-authorization approach Roland Bracewell Shoemaker
- Re: [Acme] Pre-authorization approach Eric Rescorla
- Re: [Acme] Pre-authorization approach Richard Barnes
- Re: [Acme] Pre-authorization approach Salz, Rich
- Re: [Acme] Pre-authorization approach Jacob Hoffman-Andrews
- Re: [Acme] Pre-authorization approach Salz, Rich