IETF Logo Mail Archive

Re: [Acme] ACME breaking change: Most GETs become POSTs

Yaron Sheffer <yaronf.ietf@gmail.com> Sat, 01 September 2018 19:11 UTC

Return-Path: <yaronf.ietf@gmail.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 82C47130E46 for <acme@ietfa.amsl.com>; Sat, 1 Sep 2018 12:11:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id i-X5840MocKh for <acme@ietfa.amsl.com>; Sat, 1 Sep 2018 12:11:12 -0700 (PDT)
Received: from mail-wr1-x42f.google.com (mail-wr1-x42f.google.com [IPv6:2a00:1450:4864:20::42f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 13E64130E40 for <acme@ietf.org>; Sat, 1 Sep 2018 12:11:11 -0700 (PDT)
Received: by mail-wr1-x42f.google.com with SMTP id u12-v6so14066191wrr.4 for <acme@ietf.org>; Sat, 01 Sep 2018 12:11:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language; bh=FFD1m+Qt9cg8VKSZDV+Guy/4+wxtqilXoNA0kPFiJkQ=; b=LhCdynyp2zev70EPd7NSzZEY1kXcKEtfdvg7g5ICNKWy4RA/4s7tOeXYS7c+lxv0YU 1qf0tpCSp2uuVxjRRPBwKJ1aGb1Kf1+oSusxqyGOgFnIwfTBPbM9KYmlGCxVsZXEtVUy q51F4/RceglaIkFq3mw5PAOjBp1G3wIxlybuDLpR8hoZuApdI2bBwlj+0+Hex4+Mj+B5 NSS7/Scg9apemvUxCQjhKSMPtpNIzJMHPYCWFola68CEnhFfCRqyWg0/c3TSkGSEB06G 5ZYB0ZPNXJTVtXFx4y1UfIi0OhhLImrZvbw+i+t4Ndt0U3HHd1i6eG4P8Iy6+Cujny0Q WfWg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language; bh=FFD1m+Qt9cg8VKSZDV+Guy/4+wxtqilXoNA0kPFiJkQ=; b=qpDedLWMwMurGXUornI1o7I3hR+OVKgIn9921wToSN7GIkJoLLIJshykuh1ZKAbl6p 4AVB41jl6Xt45caV9oZY//gU7+y2NLj+R4u4xWVLO3KhWkO+0uLN7YF12A+bsoeoqc3a 56tzwhMebo3zOmvsyaawQDUS1cDUCXRNcMHDg5bBPG6Uv/8cQBSIQaxew8woqrojEmBs FTcx9mfRx2HVkmRwaznEY71UuTEJ6nrD751cby1ZkPJjAigfoSViNJSpGj4/il/8cCaa mxsanooxH7Zlr0Lq1n8Xv0pl8clbVYEdCNl/PLf4k8H5z76dTNb9pg7+cGjy+YAPLx0H eKPw==
X-Gm-Message-State: APzg51DD/5Nn/N5XqySeZMgdnFmv5wjSvWibL8Q4u/idY8i8UFB/lXgb e4XyLPi+MPGcDubNoU7w8zAD+i41
X-Google-Smtp-Source: ANB0VdaHGVhBvnE7WBTVAJpbiu93XDAc1q6R5LW4ftFAh1R1XQh1IXYl3iFzABSTKc4AkmQ5tIxU/w==
X-Received: by 2002:adf:e30e:: with SMTP id b14-v6mr14253255wrj.158.1535829070011; Sat, 01 Sep 2018 12:11:10 -0700 (PDT)
Received: from [10.0.0.145] (bzq-109-65-15-47.red.bezeqint.net. [109.65.15.47]) by smtp.gmail.com with ESMTPSA id v7-v6sm10162502wrr.19.2018.09.01.12.11.08 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 01 Sep 2018 12:11:09 -0700 (PDT)
To: Richard Barnes <rlb@ipv.sx>, Jacob Hoffman-Andrews <jsha@eff.org>
Cc: IETF ACME <acme@ietf.org>
References: <c33184f3-4e64-b7ea-babb-d29e2307f1f3@eff.org> <CAL02cgQ1BAzYH4f1nUD3fO0dKTc4mVrJ_NnoKq+Zb0BjT9J35Q@mail.gmail.com>
From: Yaron Sheffer <yaronf.ietf@gmail.com>
Message-ID: <a9ecbc4c-70ed-2d88-5f8f-4c984a0a60c6@gmail.com>
Date: Sat, 01 Sep 2018 22:11:07 +0300
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1
MIME-Version: 1.0
In-Reply-To: <CAL02cgQ1BAzYH4f1nUD3fO0dKTc4mVrJ_NnoKq+Zb0BjT9J35Q@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------BEADD15225F3E6D09233DE5F"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/a0tS1t6IU6FXhgZg3vwKyB2Mxic>
Subject: Re: [Acme] ACME breaking change: Most GETs become POSTs
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 01 Sep 2018 19:11:14 -0000

Hi Richard,

I think we're in a good place, even from a STAR perspective (where 
certificates must be accessible with a GET, or the whole thing breaks 
down). To clarify the behavior further, I suggest to add the following 
text after the paragraph that says that "The server MAY allow GET 
requests for certificate resources...":

The server MAY choose to allow GET requests to certain certificate 
resources but not to others. The server can base this decision on 
out-of-band knowledge (e.g., to allow GET requests to certificates owned 
by a certain account) or on order-specific information, such as the 
extension defined in {{?I-D.ietf-acme-star}}.

Thanks,
     Yaron

On 01/09/18 01:08, Richard Barnes wrote:
> Hey all,
>
> This thread forked into a couple of different issues, so I wanted to 
> post a little end-of-day summary of the issues and where we stand.  
> I've updated the PR [1] to reflect most of today's discussion.
>
> ===
>
> ISSUE 1. Should we do POST-as-GET at all, vs. keeping GET and doing 
> the privacy analysis?
>
> It seems like there's pretty strong agreement that we should get rid 
> of GET, as the architecturally cleanest option.
>
> ===
>
> ISSUE 2: How should we signal that POST-as-GET request is different 
> from other POST requests?
>
> The current PR signals this by sending a JWS with an empty 
> (zero-octet) payload, instead of a JSON object.  Jacob and Daniel 
> suggested that we should instead use the payload being an empty JSON 
> object as the signal.  An earlier draft PR used a field in the 
> protected header.
>
> ===
>
> ISSUE 3: Should servers be required to allow GET requests for 
> certificate URLs?
>
> I had proposed this earlier today; Jacob and Daniel pushed back.  I 
> have implemented a compromise in the latest PR, where servers MAY 
> accept GET requests.
>
> ===
>
> ISSUE 4: How should we address the risk that an attacker can discover 
> URLs by probing for Unauthorized vs. Not Found?
>
> There seemed to be agreement on the list that this should be addressed 
> with some guidance to servers on how to assign URLs.  I have just 
> added some text to the PR for this.
>
> ===
>
> It seems to me we're pretty much closed on the first issue, and the 
> other three are still open.  Please send comments, so we can resolve 
> this issue and get the document back in motion!
>
> Thanks,
> --Richard
>
> [1] https://github.com/ietf-wg-acme/acme/pull/445
>
> On Thu, Aug 30, 2018 at 7:20 PM Jacob Hoffman-Andrews <jsha@eff.org 
> <mailto:jsha@eff.org>> wrote:
>
>     ACME currently has unauthenticated GETs for some resources. This was
>     originally discussed in January 2015[1]. We decided to put all
>     sensitive
>     data in the account resource and consider all GET resources
>     public, with
>     a slant towards transparency.
>
>     Adam Roach recently pointed out in his Area Director review that even
>     when the contents of GET URLs aren’t sensitive, their correlation may
>     be. For instance, some CAs might consider the grouping of
>     certificates
>     by account to be sensitive.
>
>     Richard Barnes proposes[2] to change all GETs to POSTs (except
>     directory
>     and new-nonce). This will be a breaking change. Clients that were
>     compatible with previous drafts, informally called ACMEv1 and ACMEv2,
>     will not be compatible with a draft that mandates POSTs
>     everywhere. It
>     will be a painful change, since the ecosystem just started
>     switching to
>     ACMEv2, which looked to be near-final.
>
>     I think this is the right path forwards. ACME will be a simpler,
>     better
>     protocol long-term if all requests are authenticated. However, if
>     we’re
>     taking this path we should aim to come to consensus and land the
>     final
>     spec quickly to reduce uncertainty for ACME client implementers.
>
>     [1]
>     https://github.com/letsencrypt/acme-spec/pull/48#issuecomment-70169712
>     [2] https://github.com/ietf-wg-acme/acme/pull/445/files
>
>     _______________________________________________
>     Acme mailing list
>     Acme@ietf.org <mailto:Acme@ietf.org>
>     https://www.ietf.org/mailman/listinfo/acme
>

v2.23.0 | Report a Bug | By Email