IETF Logo Mail Archive

Re: [Acme] ACME breaking change: Most GETs become POSTs

Tim Hollebeek <tim.hollebeek@digicert.com> Fri, 31 August 2018 15:22 UTC

Return-Path: <tim.hollebeek@digicert.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C60CF130DE3 for <acme@ietfa.amsl.com>; Fri, 31 Aug 2018 08:22:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=digicert.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aeeJ1SCXwU1A for <acme@ietfa.amsl.com>; Fri, 31 Aug 2018 08:22:41 -0700 (PDT)
Received: from mail1.bemta24.messagelabs.com (mail1.bemta24.messagelabs.com [67.219.250.115]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7C96F130DD1 for <acme@ietf.org>; Fri, 31 Aug 2018 08:22:41 -0700 (PDT)
Received: from [67.219.250.196] (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256 bits)) by server-4.bemta.az-b.us-west-2.aws.symcld.net id 99/83-28473-04D598B5; Fri, 31 Aug 2018 15:22:40 +0000
X-Brightmail-Tracker: H4sIAAAAAAAAA1WTWUwTURSGuZ3pdETGjAXliGKgcSGQqW1xweh D1Wh4MRGNJlqMDnagTdrSdEpAI1GiqFA10NhE6gKu2CKJCy5RiVpRtBjEGnAhJmI1QkHFuCGu nU7d3r45/3/Of+7NHRKTh4gkkiuxczYLa1IQsfijlHODjHZ1hU61vwHP8r7KyXrddg3L8ne1E Fosu8/fjrIH2u7i2UePfpEswVZJjZa8wpK1UsOt/mGpdfeikrZjLmwzujG/Eo0gcXonBr66KZ UolpTTVRLYsTOAxI9nCMpr3uKCi6BV0NXcKhE4gV4Gjz1fkcAYPR66hy7LKhFJxtNacA5HLfO gPtghFXkROO51IDFsMgzcboowRa+Gvp/bo1mtCJzPPZHmEfQ0cNcflwmM6LHw2X9SImYlwpMX tREGOgF67rcRIo+BvuAPqejPhQPvfdG6Asp6azCRkyFQ64iEAX1VBt1NB6ODGBh0uaKmxdDds xcTTQEEroonuCikw0VHi0Q4JdAmKLu5VCzPAU9oUCryRPDu6sHF3nMYeC7digZMgMqhz9HkMg Ia2qsjHXJaD3u8PqIKZbj/OZ077MPoOgTNLb0Sd+SeRsOdmhe4aEoHV2Moyhlw/FA/5kayMM+ FJr1YTYU9jh6ZyDNhW/s7og6RXpSVZzMWGOxm1mhi1CoVo1ZrGHVmJqPRzFKyG5g8ZRHPFHO8 ndEo2WJeya83rzPplRbOfgaFX5zeWh68iNoPF/jQOFKiGEM9UFXo5KPyCvXrDSxvWGMrMnG8D 00gSQVQ/bqwNtrGFXAl+UZT+Nn+loGMUyRQlwSZ4q2smTcWiJIfZZJvPE4nRn5763JictxSaO GSEim/YKUFq6HI8mfQ718ggJKT4ikUExMjj7NyNrPR/r8eQokkUsRTabnhKXFGi/1PXii8iiS 8Ct65Q1jFzv6Vkjajbfl3Zlw4P81/L2P59dRTDermlLFfTpSvc/T+iP945fD3ocbT+trUFcNl rbrqBUc+vXsUO3vhq9LafeaOIDHTO8mruzL92MrcuTlPc6o36tPUG/I/nnfNT+7Upm35sCkls 0/h1lYFznbspoqbG63syMlbS2UvS/MHvPVTHwY1hfvqb+gVOG9g1emYjWd/Afq+IED9AwAA
X-Env-Sender: tim.hollebeek@digicert.com
X-Msg-Ref: server-8.tower-344.messagelabs.com!1535728959!4071484!1
X-Originating-IP: [216.32.181.240]
X-SYMC-ESS-Client-Auth: mailfrom-relay-check=pass
X-StarScan-Received:
X-StarScan-Version: 9.9.15; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 22769 invoked from network); 31 Aug 2018 15:22:39 -0000
Received: from mail-by2nam05lp0240.outbound.protection.outlook.com (HELO NAM05-BY2-obe.outbound.protection.outlook.com) (216.32.181.240) by server-8.tower-344.messagelabs.com with AES256-SHA256 encrypted SMTP; 31 Aug 2018 15:22:39 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digicert.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ec/yiH7+SCR1fqa6gPh7/ao9HIKioYss1sgDCstyN7w=; b=mOiB3NalaqQJ2mUFcXnDwGgZbq84tJWXumi7bGtHtxD72hFs+thJoikWqiuULyPd7tVqRcw8L9pplKeYcG589Pc6wB2jjhj0sSHTg32WLQwA5Mce+0RrEI5xFP1/sTq2902rIfk5Q7inD6VDq9mc/yQow5Mc+dqO2Hj5PUg0QPA=
Received: from BN6PR14MB1106.namprd14.prod.outlook.com (10.173.161.15) by BN6PR14MB1411.namprd14.prod.outlook.com (10.172.150.13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1101.14; Fri, 31 Aug 2018 15:22:38 +0000
Received: from BN6PR14MB1106.namprd14.prod.outlook.com ([fe80::b48d:a35d:7a5e:abf9]) by BN6PR14MB1106.namprd14.prod.outlook.com ([fe80::b48d:a35d:7a5e:abf9%11]) with mapi id 15.20.1101.016; Fri, 31 Aug 2018 15:22:37 +0000
From: Tim Hollebeek <tim.hollebeek@digicert.com>
To: Nico Williams <nico@cryptonector.com>, Felipe Gasper <felipe@felipegasper.com>
CC: ACME WG <acme@ietf.org>
Thread-Topic: [Acme] ACME breaking change: Most GETs become POSTs
Thread-Index: AQHUQLgZm5PhjJYzrkiJa1Q9gI+EGaTY9oWAgAAP9wCAAPMVgIAAAPpA
Date: Fri, 31 Aug 2018 15:22:37 +0000
Message-ID: <BN6PR14MB1106887D392129C402A1B8FF830F0@BN6PR14MB1106.namprd14.prod.outlook.com>
References: <c33184f3-4e64-b7ea-babb-d29e2307f1f3@eff.org> <2a889461-da9e-d3bd-e5a8-688eda61c614@eff.org> <51509028-1939-4851-8BB5-41F94FA146A1@felipegasper.com> <20180831151550.GC10368@localhost>
In-Reply-To: <20180831151550.GC10368@localhost>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [81.250.177.159]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; BN6PR14MB1411; 6:bVwKVye9GAQpjmT0GzeUo36F1OAjocxJGqs2LzPJ/Y4OMu6qe+l4lg27c+wFR3mf7+JLGHvmxQCUIzmIKXmTdWN1vq6CiDPe3431lEl3WqsfEc+TSpbiDFpkqoF5OfTx3cNs8/QBtxK/Fik2ZyGkHvh+YGNEdewBblNzg6QH8FOajeaTKvLihtsDXWQrvFWE0y2wx/htUWpK8ywiPANRbJSekpKwlL7xA0OJK2YhmNUwZ3sB6QtncRO/+WcUuWuH6/Eo7GNJa10qQZhm6eWe/8YPLzzwJsMptq3W3R5J8F8y6VibfxQboSkRE7SoPInI2kccwllLJZKXkNfxSqUsry7+77Uu5y6F4cNcE4/Y03NsUPVliTNAQsDu4Y28m663UXvXumdbC/lLa9ZsaOFU483/1LWZIa+qvtK+d2lOFKGzD9Guhh24Yy9WVi4D3gwSEHZ2e1Lhixt8jt24IvhK7Q==; 5:u2/RVITKAmjm/G2f7nkocWij6fNovxqtZPbt0p5syWE2VsMHuj/wM1kVnFO3rPf8e854LDGVzGU3wjO+Qau2xQMBX9TLt6PLDkJrfg1HOuHaP0hAajzglOOuQWs0n+OzMtQu/EVIT9k69Dl+kmKSev8hcjU1NkodCP/GhdcDh1E=; 7:76max6EXdZElEd/tpAbONrxwZR+/XSrqe+k8yY3lj9DWyvu85Y+7Ptj9GttftJA15N0yeVFioADyXxfzHl40DhXceT+rq4ipQn5tRBr4BIUMVfgSxCb2m8l47fhwI/NSXGJhwF60aS3zvw2mkdWDx78kryaTks7ovgQrmNsGVxWBMehGOJ5Gd7PFlBU6vJ3uzA0Bs8c3+v8YQStFc7xITs1cFkofgkZrUTwhntUReJJW9cmbERyp9dXrOR/BI1QL
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: 172d072c-0622-4cfb-337a-08d60f5595d5
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989137)(4534165)(4627221)(201703031133081)(201702281549075)(8990107)(5600074)(711020)(2017052603328)(7153060)(49563074)(7193020); SRVR:BN6PR14MB1411;
x-ms-traffictypediagnostic: BN6PR14MB1411:
x-microsoft-antispam-prvs: <BN6PR14MB1411ED1FCFCDC65384038D1F830F0@BN6PR14MB1411.namprd14.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(158342451672863);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(102415395)(6040522)(2401047)(8121501046)(5005006)(10201501046)(3002001)(93006095)(93001095)(3231311)(944501410)(52105095)(149027)(150027)(6041310)(20161123558120)(20161123560045)(20161123562045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123564045)(201708071742011)(7699016); SRVR:BN6PR14MB1411; BCL:0; PCL:0; RULEID:; SRVR:BN6PR14MB1411;
x-forefront-prvs: 07817FCC2D
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39860400002)(376002)(346002)(366004)(396003)(136003)(13464003)(189003)(199004)(40224003)(106356001)(105586002)(6436002)(14454004)(5660300001)(229853002)(6306002)(9686003)(2900100001)(7736002)(305945005)(55016002)(966005)(2906002)(74316002)(53936002)(99936001)(8676002)(478600001)(186003)(33656002)(26005)(102836004)(66066001)(14444005)(256004)(5250100002)(6506007)(53546011)(44832011)(99286004)(110136005)(11346002)(446003)(81166006)(316002)(476003)(93886005)(86362001)(486006)(97736004)(7696005)(6116002)(6246003)(3846002)(8936002)(25786009)(76176011)(4326008)(81156014)(68736007); DIR:OUT; SFP:1102; SCL:1; SRVR:BN6PR14MB1411; H:BN6PR14MB1106.namprd14.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: digicert.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: dV5yFmqr3HHMb/ayNnpod851AtvtUEzuKvI+DdUMTGg8c7f2wazMVbZFQo0IXIocBgNpEisDBuyNe9enTMGhBd0vGjJk8RwbwC8vC7LX5Ml5WuYfGQVKuBYVa7j8sfj9zLo+RPBc0wDzrMHgYAbWtAJUC9raT6Ggvpu4jqsbsYQjSiTQGaCkW3QV1WjjWwKjjycNxXIRBqQJxN5ud5NIF2+jpZSBJ61GRTbYFtStT3JY56JUpaOj/IL8syp3EnIic+vSlZrDFNyXTDB4QGqaDPMshjW7guxIQEFayj68O341hFlb1mALpoEdiDIguLKx2onfkeAlbElgkuk5+B8Q5u1sgLGlfXfUmi9GvwYE0o8=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="2.16.840.1.101.3.4.2.1"; boundary="----=_NextPart_000_05C6_01D4414F.3179E180"
MIME-Version: 1.0
X-OriginatorOrg: digicert.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 172d072c-0622-4cfb-337a-08d60f5595d5
X-MS-Exchange-CrossTenant-originalarrivaltime: 31 Aug 2018 15:22:37.8006 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: cf813fa1-bde5-4e75-9479-f6aaa8b1f284
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR14MB1411
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/feKSvWYBzZ-mZtDdLY3sRbYkusU>
Subject: Re: [Acme] ACME breaking change: Most GETs become POSTs
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 31 Aug 2018 15:22:46 -0000

The capability URL stuff introduces a level of complexity that I'd rather not try to analyze at this point.  I'm afraid people will rush to implement it and get it wrong in hard to anticipate ways, or that there are consequences we haven't foreseen at this late hour.

POSTs seem to be the right long term solution.  Why is it necessary that the server MUST allow GETs, and cannot consider them to be a legacy feature that should eventually be deprecated?

-Tim

> -----Original Message-----
> From: Acme <acme-bounces@ietf.org> On Behalf Of Nico Williams
> Sent: Friday, August 31, 2018 5:16 PM
> To: Felipe Gasper <felipe@felipegasper.com>
> Cc: ACME WG <acme@ietf.org>
> Subject: Re: [Acme] ACME breaking change: Most GETs become POSTs
> 
> On Thu, Aug 30, 2018 at 08:45:50PM -0400, Felipe Gasper wrote:
> > I suppose if I have:
> >
> > GET /order/123/certificate    =>   cert for yin.com
> >
> > GET /order/124/certificate    =>   cert for yang.com
> >
> > … then one could surmise (however justifiably) that these two may be
> related, so I see the point.
> 
> If these numbers are certificate serial numbers, then by all means they must be
> randomized.  Even if not, predictable, serial account-number- like numbers
> should not be part of a URL without some other component to make URL
> generation unpredictable.
> 
> > > You could make the certificate URLs unpredictable, but then you've
> > > introduced a notion of capability URLs[1], which breaks the notion
> > > of having a single authentication system for ACME.
> >
> > I can see that.
> 
> Eh?  Just because they are randomized / unpredictable does not mean that
> they are capability URLs or confidentiality-sensitive, nor that they must be one-
> time-use only.
> 
> Nico
> --
> 
> _______________________________________________
> Acme mailing list
> Acme@ietf.org
> https://www.ietf.org/mailman/listinfo/acme

v2.23.0 | Report a Bug | By Email