IETF Logo Mail Archive

Re: [Acme] Message Type/Version Identifiers

Phillip Hallam-Baker <phill@hallambaker.com> Thu, 18 December 2014 21:43 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1DCC01A8877 for <acme@ietfa.amsl.com>; Thu, 18 Dec 2014 13:43:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.277
X-Spam-Level:
X-Spam-Status: No, score=-1.277 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oShLPCB0eBox for <acme@ietfa.amsl.com>; Thu, 18 Dec 2014 13:43:49 -0800 (PST)
Received: from mail-lb0-x22e.google.com (mail-lb0-x22e.google.com [IPv6:2a00:1450:4010:c04::22e]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 603641A8774 for <acme@ietf.org>; Thu, 18 Dec 2014 13:43:48 -0800 (PST)
Received: by mail-lb0-f174.google.com with SMTP id 10so1703328lbg.19 for <acme@ietf.org>; Thu, 18 Dec 2014 13:43:46 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=5TSu8KviP06fg2ZFo72zxw+zmQNRr89TC1mfm8VPZBU=; b=APB+aOzGWZzHe0b7h6hGgSnXf7FFyqOyx33e6HjCoJj1a0XseFFj87leaApN4lcJAC jaPOg/VcaPFHpMtSj+g7UkslFUqlWfJzjj/9mmHaqjTt8v+ajF6UT/HkOGXccwDpDBsf FQXh4UCcX6Ph+6+5V70U/xJGGFIEvesMS0OPPrVWRYhG2ZYx46ZQ9THyRpICSoT/NNiN WUD1wkq4lLeOPo06td7Oa7zCRt9g0FmDQiztsvPtS0VH7Cl7mI4dJRAkjo6l3HccOL2c Wn8tc4qExJpXmu2TEx0g/wIdTmkgpbV/n3RU2SfUGXoj97OAG1mnecnGeZeUPcB9B0md NELw==
MIME-Version: 1.0
X-Received: by 10.152.87.67 with SMTP id v3mr4299730laz.97.1418939026823; Thu, 18 Dec 2014 13:43:46 -0800 (PST)
Sender: hallam@gmail.com
Received: by 10.112.19.42 with HTTP; Thu, 18 Dec 2014 13:43:46 -0800 (PST)
In-Reply-To: <CABkgnnX2PEfJZo+fJiUwTFM4yOzK-ME45fTk_vhN9mRMzzv74A@mail.gmail.com>
References: <5492B595.6020605@gmail.com> <CABkgnnX2PEfJZo+fJiUwTFM4yOzK-ME45fTk_vhN9mRMzzv74A@mail.gmail.com>
Date: Thu, 18 Dec 2014 16:43:46 -0500
X-Google-Sender-Auth: o5N8F8FEOG6MzFnwohBjXnc9Y8w
Message-ID: <CAMm+LwgW+yY4xmqs-099Tkojwnovd_u=95AHygjxqs_kDxujpw@mail.gmail.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
To: Martin Thomson <martin.thomson@gmail.com>
Content-Type: multipart/alternative; boundary="001a11c3510aa6dfd4050a847c3d"
Archived-At: http://mailarchive.ietf.org/arch/msg/acme/flLH70oB-xgMZQ-o0zCyGUr02XM
Cc: "acme@ietf.org" <acme@ietf.org>, Anders Rundgren <anders.rundgren.net@gmail.com>
Subject: Re: [Acme] Message Type/Version Identifiers
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Dec 2014 21:43:51 -0000

+1

We are doing an IETF spec, not a W3C spec.

I have a lot of experience in using URIs as protocol identifiers, I
originally proposed using them in the PICS spec them and I don't think they
work at all. In the PICS spec the specific objective was to drive a wedge
between the Dworkin/Mackinon supporters of censorship and the Religious
Right supporters. If there had been one control lever they would have been
forced to work together to agree on its use. Giving each their own lever
collapsed their coalition.

In that particular instance it was essential to provide a mechanism that
allowed anyone to fork at any time. So it could not use a protocol registry.


Here we have a Web Service spec and the objective is to end up with a
common spec. So the starting point should be an IANA registration. Since we
are doing Web Services, the obvious registry is the SRV registry. It would
also be rather convenient to have a .well-known default URI.

I see no reason not to use the prefix ACME for both. So initial discovery
would be via SRV record:

_acme._ws.example.com SRV 1 1 443 acmehost.example.com


The host is acmehost.example.com, so the service URI is:

http://acmehost.example.com/.well-known/acme/


That leaves two other questions, one is protocol version and the other is
service feature set. These are independent. There might be a 1.0 service
that supports the issue of both server and client certs and a 3.0 service
that only supports server.

We discussed this earlier, but one of the features many folk have suggested
for the ACME protocol is a mechanism that allows a client to interrogate it
to ask what it supports. I think this can be described as an instance of a
general mechanism that can be copied by other specs.

For versioning, the usual Major.Minor convention works fine.
For feature sets, an IANA registry of text keywords using the RFC20 subset
of UTF8 (as we now refer to US-ASCII).


So I would see a conversation of the following sort:

http/1.1 GET http://acmehost.example.com/.well-known/acme/
.. headers ..

{ "Describe" {} }


Responses might be

{ "Versions" : ["1.0"] }

{ "Versions" :["1.0"],
  "Supports" : [
     {"ACME" : ["Server", "Client"] }] }

{ "Versions" : ["1.0", "2.0"]
  "Supports" : [
     {"ACME" : ["Server"] },
     { "Versions" :["2.0"], "ACME" : ["Server", "Client"] }] }

So the first only supports the default features. The second supports Client
and Server cert issue. The third supports the 2.0 version of the protocol
as well as 1.0 but only supports client cert issue for 2.0.

Specifying the Feature and Version numbers as strings allows for a lot of
flexibility. So for example, a service might support version 1.0 and 3.0
but not 2.0 which turned out to be a doofus version (think X.509v2 certs).


If we do this in a well defined fashion we can eventually push the same
attributes out into the DNS as part of the service registration interface
and publish them via some new RR that is TBS which would allow them to be
used for host selection.

Using the SRV/WKS label for the features tag identifies these as attributes
that would be defined in the ACME registry. this allows for better reuse of
code points in the case that we were to use this for other negotiation
dimensions.


An ACME service that does not support the Describe method would only
support the 0.0 version of the service by definition.


Like the signature scheme outlined earlier, this is a module that can be
reused very easily.


On Thu, Dec 18, 2014 at 2:53 PM, Martin Thomson <martin.thomson@gmail.com>
wrote:
>
> On 18 December 2014 at 03:08, Anders Rundgren
> <anders.rundgren.net@gmail.com> wrote:
> > I have "backported" these things to JSON because I think they were
> good.  A
> > system like
> > ACME could also use such a scheme since there will undoubtedly be
> revisions
> > over time.
>
> I can appreciate the attraction, but this is a big "no" for me.
> Absence of these features is one of the reasons that JSON has proven
> successful over XML.
>
> If you need versioning at that level, I'd recommend defining a content
> type instead.
>
> _______________________________________________
> Acme mailing list
> Acme@ietf.org
> https://www.ietf.org/mailman/listinfo/acme
>

v2.23.0 | Report a Bug | By Email