IETF Logo Mail Archive

Re: [Acme] ACME breaking change: Most GETs become POSTs

Eric Rescorla <ekr@rtfm.com> Thu, 06 September 2018 16:04 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 233A5130EAF for <acme@ietfa.amsl.com>; Thu, 6 Sep 2018 09:04:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.081
X-Spam-Level:
X-Spam-Status: No, score=0.081 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, RCVD_IN_DNSWL_NONE=-0.0001, T_DKIMWL_WL_MED=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id APlAYumFdcjk for <acme@ietfa.amsl.com>; Thu, 6 Sep 2018 09:04:20 -0700 (PDT)
Received: from mail-lj1-x230.google.com (mail-lj1-x230.google.com [IPv6:2a00:1450:4864:20::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 08002130E99 for <acme@ietf.org>; Thu, 6 Sep 2018 09:04:20 -0700 (PDT)
Received: by mail-lj1-x230.google.com with SMTP id q127-v6so9761356ljq.11 for <acme@ietf.org>; Thu, 06 Sep 2018 09:04:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=y1TSwYBTp4TFU/Cebz7cFY8o5jjn7HlWGh3vHLCWdVw=; b=AX7iThVwQ0lMmmERalSqgWQN9GCj0CVtKurNQDNUMUE7QN/+gn0LTbd8nz/pC0lyoU zu1DyE5nfilTR587Wtths95TAPfYrdzYE1uQN1jojebU/tJoNLOXmkHvTjzg0vlysQqA mMpHnkdW4OTxVDcDevQNJwyfCEYm+AIPoanu/BWVdsqtf0JAMTyEN3r53psed4Fae0tp 6hbVJDId9BuVYbdWDLziXP6MBdzSjn0J8mkL2I8+J2dvKYn3M66xFAYu+YuYpyHkMqXe KsTEtkoSNw8XeKoB80XxJvksWIGBjSYCeF1leO0JyS1uywgvhAnNxCqUu34Wr4GzmRxZ Gi3w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=y1TSwYBTp4TFU/Cebz7cFY8o5jjn7HlWGh3vHLCWdVw=; b=rbfIDPXZO4Jp1y/WPst2PDciuon2V/bvCw5O/2DWTNIOt5CIwcdnSs8Qyds1zuyqoq 5W4qc+VBFatzy6A9hS58aWcddFxZM32RdxpRaVU6V1lMkyQ6zkgOZ8ZDt9FKKwZ8dqcP hXYM4SNURCdMva0Qw12QX4zW3BVBkugFUBv7GT06BZeHY2tUkppROkp4Lgn/2CMU3zMn MCMujN1P5MAK3aXDyDiuaNfGFsQUm+m5735gxWhmEFb4l8Y3baOR5xFNuaFAtkE331dv 1m1Db6dWNFP1OI1gnL1PTfXiKMoCqa5NzmNbfNv00+QoJ4ctGtIEEoinO34Qm3KgmQWS rLIA==
X-Gm-Message-State: APzg51AhICld049y4eos6w9D0K+aSorgHygA6KqODSn8qz6rUEzCLpG6 QZP9dDjSvPxtPVtJ3I60wt/zZ8UmJYsnF1KEXSNVzJrL
X-Google-Smtp-Source: ANB0VdakaSJbB2Ir/c8OohGdeHQ56tHX1IPXB1FrpzAic+A5nr8fv203BWUVhV2Zkj9O5RNDN4MpHZJCNt3o/FY9Y+4=
X-Received: by 2002:a2e:9c82:: with SMTP id x2-v6mr2426329lji.131.1536249858065; Thu, 06 Sep 2018 09:04:18 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a05:6504:128b:0:0:0:0 with HTTP; Thu, 6 Sep 2018 09:03:37 -0700 (PDT)
In-Reply-To: <A53CF702-D5DA-4A68-B677-4707A1C2E990@akamai.com>
References: <c33184f3-4e64-b7ea-babb-d29e2307f1f3@eff.org> <CAL02cgQ1BAzYH4f1nUD3fO0dKTc4mVrJ_NnoKq+Zb0BjT9J35Q@mail.gmail.com> <CAL02cgTDMqQ0jPojqUBAVBW=TRFGU0_ntfcLGUsTbPtvfitDKQ@mail.gmail.com> <A53CF702-D5DA-4A68-B677-4707A1C2E990@akamai.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Thu, 06 Sep 2018 09:03:37 -0700
Message-ID: <CABcZeBP95mUro1MO=omM7PYHC9i7v9PoohuxfNK9tPSHmwwUgQ@mail.gmail.com>
To: "Salz, Rich" <rsalz=40akamai.com@dmarc.ietf.org>
Cc: IETF ACME <acme@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000139e2b0575360bdb"
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/UZ6EVVMU6AGOAa5Kr517HAA_poo>
Subject: Re: [Acme] ACME breaking change: Most GETs become POSTs
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Sep 2018 16:04:23 -0000

This is a pretty substantive change and I think this does need to have a
short IETF-LC. Why don't you produce a new draft and let me know when you
believe the WG has consensus
-Ekr


On Thu, Sep 6, 2018 at 8:50 AM, Salz, Rich <
rsalz=40akamai.com@dmarc.ietf.org> wrote:

> We have already had some discussion on this.  I do not want to reset the
> WGLC.  Please take a look at the PR, it addresses issue that were brought
> up during IESG review.
>
>
>
> If you have objections or concerns, please reply by the end of next week,
> 14 sep.
>
>
>
> *From: *Richard Barnes <rlb@ipv.sx>
> *Date: *Thursday, September 6, 2018 at 11:02 AM
> *To: *"acme@ietf.org" <acme@ietf.org>
> *Cc: *"<acme-chairs@ietf. org>" <acme-chairs@ietf.org>, Eric Rescorla <
> ekr@rtfm.com>, Adam Roach <adam@nostrum.com>
> *Subject: *Re: [Acme] ACME breaking change: Most GETs become POSTs
> *Resent-From: *<alias-bounces@ietf.org>
> *Resent-To: *Rich Salz <rsalz@akamai.com>, Yoav Nir <ynir.ietf@gmail.com>
> *Resent-Date: *Thursday, September 6, 2018 at 11:02 AM
>
>
>
> After the weekend's discussions, I've updated the PR to reflect what I
> understand to be emerging agreement on these topics:
>
>
>
> ISSUE 1. Should we do POST-as-GET at all, vs. keeping GET and doing the
> privacy analysis?
>
> PROPOSED RESOLUTION: Yes.
>
>
>
> ISSUE 2: How should we signal that POST-as-GET request is different from
> other POST requests?
>
> PROPOSED RESOLUTION: A JWS with a zero-octet payload ("")
>
>
>
> ISSUE 3: Should servers be required to allow GET requests for certificate
> URLs?
>
> PROPOSED RESOLUTION: No, but they MAY
>
>
>
> ISSUE 4: How should we address the risk that an attacker can discover URLs
> by probing for Unauthorized vs. Not Found?
>
> PROPOSED RESOLUTION: Security considerations that recommend
> non-correlatable URL plans
>
>
>
> https://github.com/ietf-wg-acme/acme/pull/445
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_ietf-2Dwg-2Dacme_acme_pull_445&d=DwMFaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=4LM0GbR0h9Fvx86FtsKI-w&m=0WrTFNH1Dw6ptcTgU6p4wrd1zn3ZVatHDOrx8DbEWUM&s=ARyNYl3lxrI8cMqtfkMceBinUqRQmbZiPk8NXJWj3O0&e=>
>
>
>
> Adam: Is this looking like an approach that would satisfy your DISCUSS?
>
>
>
> Chairs / EKR: How would you like to proceed on closing this out?  What are
> the next process steps?
>
>
>
>
>
> On Fri, Aug 31, 2018 at 6:08 PM Richard Barnes <rlb@ipv.sx> wrote:
>
> Hey all,
>
>
>
> This thread forked into a couple of different issues, so I wanted to post
> a little end-of-day summary of the issues and where we stand.  I've updated
> the PR [1] to reflect most of today's discussion.
>
>
>
> ===
>
>
>
> ISSUE 1. Should we do POST-as-GET at all, vs. keeping GET and doing the
> privacy analysis?
>
>
>
> It seems like there's pretty strong agreement that we should get rid of
> GET, as the architecturally cleanest option.
>
>
>
> ===
>
>
>
> ISSUE 2: How should we signal that POST-as-GET request is different from
> other POST requests?
>
>
>
> The current PR signals this by sending a JWS with an empty (zero-octet)
> payload, instead of a JSON object.  Jacob and Daniel suggested that we
> should instead use the payload being an empty JSON object as the signal.
> An earlier draft PR used a field in the protected header.
>
>
>
> ===
>
>
>
> ISSUE 3: Should servers be required to allow GET requests for certificate
> URLs?
>
>
>
> I had proposed this earlier today; Jacob and Daniel pushed back.  I have
> implemented a compromise in the latest PR, where servers MAY accept GET
> requests.
>
>
>
> ===
>
>
>
> ISSUE 4: How should we address the risk that an attacker can discover URLs
> by probing for Unauthorized vs. Not Found?
>
>
>
> There seemed to be agreement on the list that this should be addressed
> with some guidance to servers on how to assign URLs.  I have just added
> some text to the PR for this.
>
>
>
> ===
>
>
>
> It seems to me we're pretty much closed on the first issue, and the other
> three are still open.  Please send comments, so we can resolve this issue
> and get the document back in motion!
>
>
>
> Thanks,
>
> --Richard
>
>
>
> [1] https://github.com/ietf-wg-acme/acme/pull/445
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_ietf-2Dwg-2Dacme_acme_pull_445&d=DwMFaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=4LM0GbR0h9Fvx86FtsKI-w&m=0WrTFNH1Dw6ptcTgU6p4wrd1zn3ZVatHDOrx8DbEWUM&s=ARyNYl3lxrI8cMqtfkMceBinUqRQmbZiPk8NXJWj3O0&e=>
>
>
>
> On Thu, Aug 30, 2018 at 7:20 PM Jacob Hoffman-Andrews <jsha@eff.org>
> wrote:
>
> ACME currently has unauthenticated GETs for some resources. This was
> originally discussed in January 2015[1]. We decided to put all sensitive
> data in the account resource and consider all GET resources public, with
> a slant towards transparency.
>
> Adam Roach recently pointed out in his Area Director review that even
> when the contents of GET URLs aren’t sensitive, their correlation may
> be. For instance, some CAs might consider the grouping of certificates
> by account to be sensitive.
>
> Richard Barnes proposes[2] to change all GETs to POSTs (except directory
> and new-nonce). This will be a breaking change. Clients that were
> compatible with previous drafts, informally called ACMEv1 and ACMEv2,
> will not be compatible with a draft that mandates POSTs everywhere. It
> will be a painful change, since the ecosystem just started switching to
> ACMEv2, which looked to be near-final.
>
> I think this is the right path forwards. ACME will be a simpler, better
> protocol long-term if all requests are authenticated. However, if we’re
> taking this path we should aim to come to consensus and land the final
> spec quickly to reduce uncertainty for ACME client implementers.
>
> [1] https://github.com/letsencrypt/acme-spec/pull/48#issuecomment-70169712
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_letsencrypt_acme-2Dspec_pull_48-23issuecomment-2D70169712&d=DwMFaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=4LM0GbR0h9Fvx86FtsKI-w&m=0WrTFNH1Dw6ptcTgU6p4wrd1zn3ZVatHDOrx8DbEWUM&s=-4g1lhzE_4QDBMJ-WyE17zBBm61tdp2A-ImhSpqHet4&e=>
> [2] https://github.com/ietf-wg-acme/acme/pull/445/files
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_ietf-2Dwg-2Dacme_acme_pull_445_files&d=DwMFaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=4LM0GbR0h9Fvx86FtsKI-w&m=0WrTFNH1Dw6ptcTgU6p4wrd1zn3ZVatHDOrx8DbEWUM&s=LoHY-1DpWoqgeBKRrhoq2l8n4_M01eB2qOjY9yUEaRA&e=>
>
> _______________________________________________
> Acme mailing list
> Acme@ietf.org
> https://www.ietf.org/mailman/listinfo/acme
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_acme&d=DwMFaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=4LM0GbR0h9Fvx86FtsKI-w&m=0WrTFNH1Dw6ptcTgU6p4wrd1zn3ZVatHDOrx8DbEWUM&s=-4LvMdxd6Cmfi4d1ClEC2VFM8ndqUtWVEkoSNvTrg2M&e=>
>
>
> _______________________________________________
> Acme mailing list
> Acme@ietf.org
> https://www.ietf.org/mailman/listinfo/acme
>
>

v2.23.0 | Report a Bug | By Email