Re: [Acme] Post-IETF-96 PRs
Ron <ron@debian.org> Mon, 08 August 2016 18:12 UTC
Return-Path: <ron@debian.org>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4053712D87D for <acme@ietfa.amsl.com>; Mon, 8 Aug 2016 11:12:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.62
X-Spam-Level:
X-Spam-Status: No, score=-2.62 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0f_BmgbZ0Ojp for <acme@ietfa.amsl.com>; Mon, 8 Aug 2016 11:12:37 -0700 (PDT)
Received: from ipmail05.adl6.internode.on.net (ipmail05.adl6.internode.on.net [150.101.137.143]) by ietfa.amsl.com (Postfix) with ESMTP id 8A01612B035 for <acme@ietf.org>; Mon, 8 Aug 2016 11:12:36 -0700 (PDT)
Received: from ppp121-45-12-92.lns20.adl2.internode.on.net (HELO mailservice.shelbyville.oz) ([121.45.12.92]) by ipmail05.adl6.internode.on.net with ESMTP; 09 Aug 2016 03:42:22 +0930
Received: from localhost (localhost [127.0.0.1]) by mailservice.shelbyville.oz (Postfix) with ESMTP id 85E51FFBF6; Tue, 9 Aug 2016 03:42:21 +0930 (ACST)
X-Virus-Scanned: Debian amavisd-new at mailservice.shelbyville.oz
Received: from mailservice.shelbyville.oz ([127.0.0.1]) by localhost (mailservice.shelbyville.oz [127.0.0.1]) (amavisd-new, port 10024) with LMTP id FRA8tWvL_EcV; Tue, 9 Aug 2016 03:42:21 +0930 (ACST)
Received: from hex.shelbyville.oz (hex.shelbyville.oz [192.168.1.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mailservice.shelbyville.oz (Postfix) with ESMTPS id E1FC7FFB59; Tue, 9 Aug 2016 03:42:20 +0930 (ACST)
Received: by hex.shelbyville.oz (Postfix, from userid 1000) id D2BCF80473; Tue, 9 Aug 2016 03:42:20 +0930 (ACST)
Date: Tue, 09 Aug 2016 03:42:20 +0930
From: Ron <ron@debian.org>
To: Richard Barnes <rlb@ipv.sx>
Message-ID: <20160808181220.GB8744@hex.shelbyville.oz>
References: <CAL02cgQV479=88TDYg7xjOAiDq7zjMHR5hnhjCsuePL8PF3i8A@mail.gmail.com> <CAL02cgQDhsCri=1ESwNRDEvBhh3Qg69zJURy+aoYQfJvypZC4A@mail.gmail.com> <23e469ca-5a23-c4d5-edb1-be36231884f8@eff.org> <CABkgnnVXsyStuZqKh9xhT7t_LTZ-RLnw4q6PjOdCZetAK+cHAw@mail.gmail.com> <CAL02cgTO87ohy_-h0PUfRG1xTE=R8c=-gKhL03VnsB=qr8st=g@mail.gmail.com> <CABkgnnUiYMSNqzTU=uqke4Yz391Ca1Ope0tmha8jEph+XJx6Og@mail.gmail.com> <CAL02cgTnQAPv4G7OtcRSnw7ovQ6__-Eyp6VHn=7LHJBgkJJrZQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CAL02cgTnQAPv4G7OtcRSnw7ovQ6__-Eyp6VHn=7LHJBgkJJrZQ@mail.gmail.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/mrrzZmQwJUBhQPpdEMVShBzinP4>
Cc: "acme@ietf.org" <acme@ietf.org>, Martin Thomson <martin.thomson@gmail.com>, Jacob Hoffman-Andrews <jsha@eff.org>
Subject: Re: [Acme] Post-IETF-96 PRs
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Aug 2016 18:12:38 -0000
On Mon, Aug 08, 2016 at 09:53:07AM -0700, Richard Barnes wrote: > On Sun, Aug 7, 2016 at 8:29 PM, Martin Thomson <martin.thomson@gmail.com> > wrote: > > > On 8 August 2016 at 12:39, Richard Barnes <rlb@ipv.sx> wrote: > > > So I'm honestly not that convinced that we need versioning at all here. > > > Maybe we could get away with just versioning the directory? (As I think > > the > > > original issue proposed :) ) > > > > > > I believe that it was PHB who requested this originally, the rationale > > being that you might create a new version of the same resource/request > > that looked similar, but had different semantics. Rather than rely on > > having us (in all our possible future incarnations) not doing that, a > > version indicator would make signatures invalid. > > > > If that is a requirement that you accept, then a much simpler scheme > > than the one you wrote up is possible. Versioning the directory isn't > > sufficient to achieve that goal though. The first part of your PR > > would work though: include a version, and require that it be checked. > > > > Looking at the minutes from Berlin... > > "RLB: do we need both server and client versions? MT: sure" > > :) > > I'm not sure we can get away without any server versioning. The server > needs some way to signal support, even if it's only in an error message. > > Again, I'm not totally convinced that semantic mismatches are that big a > deal. The "url" parameter already scopes the signed object to a specific > resource, so the only risk would be if that specific resource accepts > different object formats that are confusable with one another. You need > some signal to disambiguate, but it's not clear to me that having one big > version is the best solution. FWIW, we did have that situation when the "delete":true flag was added to the -02 "resource":"reg" object - in that Boulder 'successfully' did something quite different by not implementing that flag if a client tried to use it ... But I do agree that sort of thing can be mitigated with some careful thought about whether we can safely ever extend objects like that or not. And if we can't, by implementing a new object or resource that does have the desired semantics. This is JSON, we can trivially rename things in expressive ways if needed. Unlike a bit-starved binary format where you could only spare a few bits for a 'version number' to tell you that the otherwise unlabelled byte 4 still means what you previously thought it did.
- Re: [Acme] Post-IETF-96 PRs Roland Shoemaker
- Re: [Acme] Post-IETF-96 PRs Martin Thomson
- Re: [Acme] Post-IETF-96 PRs Ron
- Re: [Acme] Post-IETF-96 PRs Richard Barnes
- Re: [Acme] Post-IETF-96 PRs Martin Thomson
- Re: [Acme] Post-IETF-96 PRs Richard Barnes
- Re: [Acme] Post-IETF-96 PRs Richard Barnes
- Re: [Acme] Post-IETF-96 PRs Martin Thomson
- Re: [Acme] Post-IETF-96 PRs Peter Bowen
- Re: [Acme] Post-IETF-96 PRs Jacob Hoffman-Andrews
- Re: [Acme] Post-IETF-96 PRs Richard Barnes
- Re: [Acme] Post-IETF-96 PRs Jacob Hoffman-Andrews
- Re: [Acme] Post-IETF-96 PRs Richard Barnes
- [Acme] Post-IETF-96 PRs Richard Barnes