IETF Logo Mail Archive

Re: [Acme] ACME breaking change: Most GETs become POSTs

"Salz, Rich" <rsalz@akamai.com> Thu, 06 September 2018 15:50 UTC

Return-Path: <rsalz@akamai.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A01CC130E9C for <acme@ietfa.amsl.com>; Thu, 6 Sep 2018 08:50:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.72
X-Spam-Level:
X-Spam-Status: No, score=-0.72 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Jp33T3wYPTH7 for <acme@ietfa.amsl.com>; Thu, 6 Sep 2018 08:50:22 -0700 (PDT)
Received: from mx0b-00190b01.pphosted.com (mx0b-00190b01.pphosted.com [IPv6:2620:100:9005:57f::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EBA88130E92 for <acme@ietf.org>; Thu, 6 Sep 2018 08:50:21 -0700 (PDT)
Received: from pps.filterd (m0122331.ppops.net [127.0.0.1]) by mx0b-00190b01.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w86FlQPm014531 for <acme@ietf.org>; Thu, 6 Sep 2018 16:50:21 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=from : to : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=jan2016.eng; bh=/q1w8Gs4BJjfq2TffR8SJi1U88b7V7/vIzhEzTK7qlA=; b=S3LsbZ4P9FxOLQP7FDTBmtAyDZv7WbNX62qHA59RgI9QnE0UpbYe7l9pZ15uN7BDJuXd EGq9Y83NnxWNg7taZo0AyTlpjJ6JpebtM1Uctov1KDxrS5E36x3V8S3rBWOARcsmlatl mJEM9QeWm0JOCct0XwsBJtBTZo4nNIuBJ9sReWLonnqnG3BYmzccnixO9CWfGbqc3qMa zpk7mE36yGMrTaAp3GNVQSfUetz0M5Rgf4GhnkscTRkhM/h/SXihT8QJ/qEWGPZ9H1QX +Htp1dcd0JPmuQsEwrlEunwOgnSPnGDvQvZK0jjAfH89/gS+f1FCftTwkPKWn9doLWpd xQ==
Received: from prod-mail-ppoint4 (a96-6-114-87.deploy.static.akamaitechnologies.com [96.6.114.87] (may be forged)) by mx0b-00190b01.pphosted.com with ESMTP id 2mb29q9eah-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for <acme@ietf.org>; Thu, 06 Sep 2018 16:50:20 +0100
Received: from pps.filterd (prod-mail-ppoint4.akamai.com [127.0.0.1]) by prod-mail-ppoint4.akamai.com (8.16.0.21/8.16.0.21) with SMTP id w86Fb2K2020759 for <acme@ietf.org>; Thu, 6 Sep 2018 11:50:19 -0400
Received: from email.msg.corp.akamai.com ([172.27.123.32]) by prod-mail-ppoint4.akamai.com with ESMTP id 2m7p3wrms8-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT) for <acme@ietf.org>; Thu, 06 Sep 2018 11:50:19 -0400
Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com (172.27.123.101) by usma1ex-dag1mb2.msg.corp.akamai.com (172.27.123.102) with Microsoft SMTP Server (TLS) id 15.0.1365.1; Thu, 6 Sep 2018 11:50:17 -0400
Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com ([172.27.123.101]) by usma1ex-dag1mb1.msg.corp.akamai.com ([172.27.123.101]) with mapi id 15.00.1365.000; Thu, 6 Sep 2018 11:50:16 -0400
From: "Salz, Rich" <rsalz@akamai.com>
To: IETF ACME <acme@ietf.org>
Thread-Topic: [Acme] ACME breaking change: Most GETs become POSTs
Thread-Index: AQHUQLgY8IiFXRttpU2nfkigMDQFKKTasAIAgAj2xID//8pmAA==
Date: Thu, 06 Sep 2018 15:50:16 +0000
Message-ID: <A53CF702-D5DA-4A68-B677-4707A1C2E990@akamai.com>
References: <c33184f3-4e64-b7ea-babb-d29e2307f1f3@eff.org> <CAL02cgQ1BAzYH4f1nUD3fO0dKTc4mVrJ_NnoKq+Zb0BjT9J35Q@mail.gmail.com> <CAL02cgTDMqQ0jPojqUBAVBW=TRFGU0_ntfcLGUsTbPtvfitDKQ@mail.gmail.com>
In-Reply-To: <CAL02cgTDMqQ0jPojqUBAVBW=TRFGU0_ntfcLGUsTbPtvfitDKQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.10.0.180812
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [172.19.32.252]
Content-Type: multipart/alternative; boundary="_000_A53CF702D5DA4A68B6774707A1C2E990akamaicom_"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2018-09-06_08:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1807170000 definitions=main-1809060153
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2018-09-06_08:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1807170000 definitions=main-1809060155
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/f8bHkPStDqvcxG3MX4ue34dYYbU>
Subject: Re: [Acme] ACME breaking change: Most GETs become POSTs
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Sep 2018 15:50:26 -0000

We have already had some discussion on this.  I do not want to reset the WGLC.  Please take a look at the PR, it addresses issue that were brought up during IESG review.

If you have objections or concerns, please reply by the end of next week, 14 sep.

From: Richard Barnes <rlb@ipv.sx>
Date: Thursday, September 6, 2018 at 11:02 AM
To: "acme@ietf.org" <acme@ietf.org>
Cc: "<acme-chairs@ietf. org>" <acme-chairs@ietf.org>, Eric Rescorla <ekr@rtfm.com>, Adam Roach <adam@nostrum.com>
Subject: Re: [Acme] ACME breaking change: Most GETs become POSTs
Resent-From: <alias-bounces@ietf.org>
Resent-To: Rich Salz <rsalz@akamai.com>, Yoav Nir <ynir.ietf@gmail.com>
Resent-Date: Thursday, September 6, 2018 at 11:02 AM

After the weekend's discussions, I've updated the PR to reflect what I understand to be emerging agreement on these topics:

ISSUE 1. Should we do POST-as-GET at all, vs. keeping GET and doing the privacy analysis?
PROPOSED RESOLUTION: Yes.

ISSUE 2: How should we signal that POST-as-GET request is different from other POST requests?
PROPOSED RESOLUTION: A JWS with a zero-octet payload ("")

ISSUE 3: Should servers be required to allow GET requests for certificate URLs?
PROPOSED RESOLUTION: No, but they MAY

ISSUE 4: How should we address the risk that an attacker can discover URLs by probing for Unauthorized vs. Not Found?
PROPOSED RESOLUTION: Security considerations that recommend non-correlatable URL plans

https://github.com/ietf-wg-acme/acme/pull/445<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_ietf-2Dwg-2Dacme_acme_pull_445&d=DwMFaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=4LM0GbR0h9Fvx86FtsKI-w&m=0WrTFNH1Dw6ptcTgU6p4wrd1zn3ZVatHDOrx8DbEWUM&s=ARyNYl3lxrI8cMqtfkMceBinUqRQmbZiPk8NXJWj3O0&e=>

Adam: Is this looking like an approach that would satisfy your DISCUSS?

Chairs / EKR: How would you like to proceed on closing this out?  What are the next process steps?


On Fri, Aug 31, 2018 at 6:08 PM Richard Barnes <rlb@ipv.sx> wrote:
Hey all,

This thread forked into a couple of different issues, so I wanted to post a little end-of-day summary of the issues and where we stand.  I've updated the PR [1] to reflect most of today's discussion.

===

ISSUE 1. Should we do POST-as-GET at all, vs. keeping GET and doing the privacy analysis?

It seems like there's pretty strong agreement that we should get rid of GET, as the architecturally cleanest option.

===

ISSUE 2: How should we signal that POST-as-GET request is different from other POST requests?

The current PR signals this by sending a JWS with an empty (zero-octet) payload, instead of a JSON object.  Jacob and Daniel suggested that we should instead use the payload being an empty JSON object as the signal.  An earlier draft PR used a field in the protected header.

===

ISSUE 3: Should servers be required to allow GET requests for certificate URLs?

I had proposed this earlier today; Jacob and Daniel pushed back.  I have implemented a compromise in the latest PR, where servers MAY accept GET requests.

===

ISSUE 4: How should we address the risk that an attacker can discover URLs by probing for Unauthorized vs. Not Found?

There seemed to be agreement on the list that this should be addressed with some guidance to servers on how to assign URLs.  I have just added some text to the PR for this.

===

It seems to me we're pretty much closed on the first issue, and the other three are still open.  Please send comments, so we can resolve this issue and get the document back in motion!

Thanks,
--Richard

[1] https://github.com/ietf-wg-acme/acme/pull/445<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_ietf-2Dwg-2Dacme_acme_pull_445&d=DwMFaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=4LM0GbR0h9Fvx86FtsKI-w&m=0WrTFNH1Dw6ptcTgU6p4wrd1zn3ZVatHDOrx8DbEWUM&s=ARyNYl3lxrI8cMqtfkMceBinUqRQmbZiPk8NXJWj3O0&e=>

On Thu, Aug 30, 2018 at 7:20 PM Jacob Hoffman-Andrews <jsha@eff.org<mailto:jsha@eff.org>> wrote:
ACME currently has unauthenticated GETs for some resources. This was
originally discussed in January 2015[1]. We decided to put all sensitive
data in the account resource and consider all GET resources public, with
a slant towards transparency.

Adam Roach recently pointed out in his Area Director review that even
when the contents of GET URLs aren’t sensitive, their correlation may
be. For instance, some CAs might consider the grouping of certificates
by account to be sensitive.

Richard Barnes proposes[2] to change all GETs to POSTs (except directory
and new-nonce). This will be a breaking change. Clients that were
compatible with previous drafts, informally called ACMEv1 and ACMEv2,
will not be compatible with a draft that mandates POSTs everywhere. It
will be a painful change, since the ecosystem just started switching to
ACMEv2, which looked to be near-final.

I think this is the right path forwards. ACME will be a simpler, better
protocol long-term if all requests are authenticated. However, if we’re
taking this path we should aim to come to consensus and land the final
spec quickly to reduce uncertainty for ACME client implementers.

[1] https://github.com/letsencrypt/acme-spec/pull/48#issuecomment-70169712<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_letsencrypt_acme-2Dspec_pull_48-23issuecomment-2D70169712&d=DwMFaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=4LM0GbR0h9Fvx86FtsKI-w&m=0WrTFNH1Dw6ptcTgU6p4wrd1zn3ZVatHDOrx8DbEWUM&s=-4g1lhzE_4QDBMJ-WyE17zBBm61tdp2A-ImhSpqHet4&e=>
[2] https://github.com/ietf-wg-acme/acme/pull/445/files<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_ietf-2Dwg-2Dacme_acme_pull_445_files&d=DwMFaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=4LM0GbR0h9Fvx86FtsKI-w&m=0WrTFNH1Dw6ptcTgU6p4wrd1zn3ZVatHDOrx8DbEWUM&s=LoHY-1DpWoqgeBKRrhoq2l8n4_M01eB2qOjY9yUEaRA&e=>

_______________________________________________
Acme mailing list
Acme@ietf.org<mailto:Acme@ietf.org>
https://www.ietf.org/mailman/listinfo/acme<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_acme&d=DwMFaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=4LM0GbR0h9Fvx86FtsKI-w&m=0WrTFNH1Dw6ptcTgU6p4wrd1zn3ZVatHDOrx8DbEWUM&s=-4LvMdxd6Cmfi4d1ClEC2VFM8ndqUtWVEkoSNvTrg2M&e=>

v2.23.0 | Report a Bug | By Email