Re: [Acme] various issues with the spec
Stefan Bühler <acme@stbuehler.de> Sat, 13 June 2015 22:24 UTC
Return-Path: <acme@stbuehler.de>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 534951B3112 for <acme@ietfa.amsl.com>; Sat, 13 Jun 2015 15:24:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.339
X-Spam-Level: *
X-Spam-Status: No, score=1.339 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HELO_EQ_DE=0.35, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uksp7BYUBTWO for <acme@ietfa.amsl.com>; Sat, 13 Jun 2015 15:24:39 -0700 (PDT)
Received: from mail.stbuehler.de (stbuehler.de [IPv6:2a01:4f8:a0:2276::2]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CF5021B3114 for <acme@ietf.org>; Sat, 13 Jun 2015 15:24:38 -0700 (PDT)
Received: from chromobil.localdomain (unknown [IPv6:2a02:8070:a18c:cc00:baca:3aff:fed7:a10a]) by mail.stbuehler.de (Postfix) with ESMTPSA id 9BEBCB8039A for <acme@ietf.org>; Sat, 13 Jun 2015 22:24:36 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=stbuehler.de; s=stbuehler1; t=1434234276; bh=nGj6xu5a9gGAGH9XHSIhIHj17VRkT0lsNspALmtoLIY=; h=Date:From:To:Subject:In-Reply-To:References:From; b=J0u0kEsxkCqShxHWPXifEYi18x/2BhzKOnirNzFh96OoKUTcTddhFQ7v26W8R/Yk+ t1dCgNpK8LCVvoHHC8ViO8RquatMcavSFkiWtCbUCQ+CVAJS+C7TNFNsMDF8S7Mwyi SwsggqxrI5cy/ZAsbvoNmw1NOiBhGqRC6pFtcTVE=
Date: Sun, 14 Jun 2015 00:24:32 +0200
From: Stefan Bühler <acme@stbuehler.de>
To: acme@ietf.org
Message-ID: <20150614002432.58be28e7@chromobil.localdomain>
In-Reply-To: <7ed545b29d5149ebba5582dfec9777f5@ustx2ex-dag1mb2.msg.corp.akamai.com>
References: <20150609221325.63935a29@chromobil.localdomain> <20150613232121.51f292af@chromobil.localdomain> <7ed545b29d5149ebba5582dfec9777f5@ustx2ex-dag1mb2.msg.corp.akamai.com>
X-Mailer: Claws Mail 3.11.1 (GTK+ 2.24.25; x86_64-pc-linux-gnu)
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/hCh6KfeoNBaW5NZjzRchfmduFk4>
Subject: Re: [Acme] various issues with the spec
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 13 Jun 2015 22:24:40 -0000
On Sat, 13 Jun 2015 21:24:41 +0000 "Salz, Rich" <rsalz@akamai.com> wrote: > > As it doesn't look like there is anyone interested in them on this > > mailing list I'll keep them to myself, or post them to github when > > I find the time. > > No, please post here. Ok, here we go: * I don't see how a client would determine the /acme/revoke-cert URI, it isn't part of any Link header as far as I could see. Perhaps it should be part of the Link headers of the registration? * Updates should use "PUT" instead of "POST", as they should be idempotent * When updating a registration sending empty "contact"/"agreement" should actually reset them (if allowed) compared to not sending them, which just retrieves the currently set values. I.e. posting {"contact":[]} should delete all contact information. * All responses to successful updates should contain the same "Link" headers as the creating request did. * The "success" status code for updates should be documented. Right now boulder always returns "202 Accepted". For challenges the spec says `The server provides a 200 response including the updated challenge.`; boulder returns 202 anyway. * simpleHttps: `The content type of the resource MUST be "text/plain"` versus `4. Verify that the Content-Type header of the response is either absent, or has the value "text/plain"` Is an absent Content-Type header ok or not? * dvsni: Please don't require the domain name which is being validated to be part of subjectAltName; configuring such certificate might break a working setup in production, when it "wins" over an already present and valid certificate for the domain. * dvsni: Don't require it to be a self-signed certificate - what does it matter who signed it? * dvsni: `The public key is the public key for the key pair being authorized`. I hope this was just an accident, this would be *really* wrong to require. I guess that the "dns" challenge type is probably not ready yet; but I suggest adding a "nodns" challenge which should be required in all combinations which don't include "dns": no any _acme-challenge TXT must be present. Maybe another type "nodnssec" could also be added, to require DNSSEC in all combinations not including "dns" - so DNSSEC domains always have to be authorized by "dns" challenge. Also I'd like to suggest making "dns" more powerful; for example making it possible to authorize accounts by public key and to authorize sub domains. Example: _acme-challenge.example.com TXT "inherit:1 key-sha256:47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU=" _acme-challenge.example.com TXT "token:17817c66b60ce2e4012dfad92657527a"
- [Acme] various issues with the spec Stefan Bühler
- Re: [Acme] various issues with the spec Stefan Bühler
- Re: [Acme] various issues with the spec Salz, Rich
- Re: [Acme] various issues with the spec Stefan Bühler
- Re: [Acme] various issues with the spec hallam
- Re: [Acme] various issues with the spec Fraser Tweedale
- Re: [Acme] idempotent requests (various issues wi… Stefan Bühler
- Re: [Acme] various issues with the spec Fraser Tweedale
- Re: [Acme] various issues with the spec Stefan Bühler
- Re: [Acme] various issues with the spec Phillip Hallam-Baker