IETF Logo Mail Archive

Re: [Acme] ACME breaking change: Most GETs become POSTs

Adam Roach <adam@nostrum.com> Thu, 30 August 2018 23:55 UTC

Return-Path: <adam@nostrum.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8C6FE130DBE for <acme@ietfa.amsl.com>; Thu, 30 Aug 2018 16:55:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.88
X-Spam-Level:
X-Spam-Status: No, score=-1.88 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_SPF_HELO_PERMERROR=0.01, T_SPF_PERMERROR=0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I_M-wAmOBoGc for <acme@ietfa.amsl.com>; Thu, 30 Aug 2018 16:55:41 -0700 (PDT)
Received: from nostrum.com (raven-v6.nostrum.com [IPv6:2001:470:d:1130::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A81C6130DDA for <acme@ietf.org>; Thu, 30 Aug 2018 16:55:41 -0700 (PDT)
Received: from Svantevit.roach.at (99-152-146-228.lightspeed.dllstx.sbcglobal.net [99.152.146.228]) (authenticated bits=0) by nostrum.com (8.15.2/8.15.2) with ESMTPSA id w7UNtcWo040410 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Thu, 30 Aug 2018 18:55:39 -0500 (CDT) (envelope-from adam@nostrum.com)
X-Authentication-Warning: raven.nostrum.com: Host 99-152-146-228.lightspeed.dllstx.sbcglobal.net [99.152.146.228] claimed to be Svantevit.roach.at
To: Jacob Hoffman-Andrews <jsha@eff.org>, ACME WG <acme@ietf.org>
References: <c33184f3-4e64-b7ea-babb-d29e2307f1f3@eff.org>
From: Adam Roach <adam@nostrum.com>
Message-ID: <c5acde69-bfdd-57a8-7a9e-8fa53e61959a@nostrum.com>
Date: Thu, 30 Aug 2018 18:55:32 -0500
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:60.0) Gecko/20100101 Thunderbird/60.0
MIME-Version: 1.0
In-Reply-To: <c33184f3-4e64-b7ea-babb-d29e2307f1f3@eff.org>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/dGaesCLRoigjbUHVKwQfqayFBL4>
Subject: Re: [Acme] ACME breaking change: Most GETs become POSTs
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Aug 2018 23:55:44 -0000

On 8/30/18 6:20 PM, Jacob Hoffman-Andrews wrote:
> ACME currently has unauthenticated GETs for some resources. This was 
> originally discussed in January 2015[1]. We decided to put all 
> sensitive data in the account resource and consider all GET resources 
> public, with a slant towards transparency.
>
> Adam Roach recently pointed out in his Area Director review that even 
> when the contents of GET URLs aren’t sensitive, their correlation may 
> be. For instance, some CAs might consider the grouping of certificates 
> by account to be sensitive.
>
> Richard Barnes proposes[2] to change all GETs to POSTs (except 
> directory and new-nonce). This will be a breaking change. Clients that 
> were compatible with previous drafts, informally called ACMEv1 and 
> ACMEv2, will not be compatible with a draft that mandates POSTs 
> everywhere. It will be a painful change, since the ecosystem just 
> started switching to ACMEv2, which looked to be near-final.


To be clear -- and I'm just repeating an observation that Richard made 
-- servers can continue to accept GET for the resources in question 
(order lists, orders, and certificates) for the foreseeable future, 
while also accepting POST for them [1]. Doing so would allow clients to 
switch from using GET to using POST for these resources at a leisurely 
pace, and then servers could turn off GET functionality (i.e., start 
returning 405's) once usage drops to an acceptable level.


> I think this is the right path forwards. ACME will be a simpler, 
> better protocol long-term if all requests are authenticated. However, 
> if we’re taking this path we should aim to come to consensus and land 
> the final spec quickly to reduce uncertainty for ACME client 
> implementers. 


I think this is the right call also, regardless of how breaking a change 
it might be. What I'd really like to avoid is a perpetual tax on 
developing ACME extensions in the form of having to perform extensive 
privacy analysis on every new endpoint, every new field, and every new 
identifier type that can be retrieved without authentication; and, as 
far as I can tell, that's the only other option here.

For avoidance of doubt, I'm speaking as an individual in the preceding 
paragraph. As an AD with a DISCUSS on this document, I want to make it 
clear that any solution to the privacy issue will satisfy my DISCUSS. 
But as an individual, I would be sad if the decision taken was one that 
hamstrings future protocol development.

/a

____
[1] This would presumably be coupled with an implementation-specific 
analysis of whether GET-able information can be correlated, and making 
adjustments if so.

v2.23.0 | Report a Bug | By Email