IETF Logo Mail Archive

Re: [Acme] Post-IETF-96 PRs

Ron <ron@debian.org> Mon, 08 August 2016 18:12 UTC

Return-Path: <ron@debian.org>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4053712D87D for <acme@ietfa.amsl.com>; Mon, 8 Aug 2016 11:12:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.62
X-Spam-Level:
X-Spam-Status: No, score=-2.62 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0f_BmgbZ0Ojp for <acme@ietfa.amsl.com>; Mon, 8 Aug 2016 11:12:37 -0700 (PDT)
Received: from ipmail05.adl6.internode.on.net (ipmail05.adl6.internode.on.net [150.101.137.143]) by ietfa.amsl.com (Postfix) with ESMTP id 8A01612B035 for <acme@ietf.org>; Mon, 8 Aug 2016 11:12:36 -0700 (PDT)
Received: from ppp121-45-12-92.lns20.adl2.internode.on.net (HELO mailservice.shelbyville.oz) ([121.45.12.92]) by ipmail05.adl6.internode.on.net with ESMTP; 09 Aug 2016 03:42:22 +0930
Received: from localhost (localhost [127.0.0.1]) by mailservice.shelbyville.oz (Postfix) with ESMTP id 85E51FFBF6; Tue, 9 Aug 2016 03:42:21 +0930 (ACST)
X-Virus-Scanned: Debian amavisd-new at mailservice.shelbyville.oz
Received: from mailservice.shelbyville.oz ([127.0.0.1]) by localhost (mailservice.shelbyville.oz [127.0.0.1]) (amavisd-new, port 10024) with LMTP id FRA8tWvL_EcV; Tue, 9 Aug 2016 03:42:21 +0930 (ACST)
Received: from hex.shelbyville.oz (hex.shelbyville.oz [192.168.1.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mailservice.shelbyville.oz (Postfix) with ESMTPS id E1FC7FFB59; Tue, 9 Aug 2016 03:42:20 +0930 (ACST)
Received: by hex.shelbyville.oz (Postfix, from userid 1000) id D2BCF80473; Tue, 9 Aug 2016 03:42:20 +0930 (ACST)
Date: Tue, 09 Aug 2016 03:42:20 +0930
From: Ron <ron@debian.org>
To: Richard Barnes <rlb@ipv.sx>
Message-ID: <20160808181220.GB8744@hex.shelbyville.oz>
References: <CAL02cgQV479=88TDYg7xjOAiDq7zjMHR5hnhjCsuePL8PF3i8A@mail.gmail.com> <CAL02cgQDhsCri=1ESwNRDEvBhh3Qg69zJURy+aoYQfJvypZC4A@mail.gmail.com> <23e469ca-5a23-c4d5-edb1-be36231884f8@eff.org> <CABkgnnVXsyStuZqKh9xhT7t_LTZ-RLnw4q6PjOdCZetAK+cHAw@mail.gmail.com> <CAL02cgTO87ohy_-h0PUfRG1xTE=R8c=-gKhL03VnsB=qr8st=g@mail.gmail.com> <CABkgnnUiYMSNqzTU=uqke4Yz391Ca1Ope0tmha8jEph+XJx6Og@mail.gmail.com> <CAL02cgTnQAPv4G7OtcRSnw7ovQ6__-Eyp6VHn=7LHJBgkJJrZQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CAL02cgTnQAPv4G7OtcRSnw7ovQ6__-Eyp6VHn=7LHJBgkJJrZQ@mail.gmail.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/mrrzZmQwJUBhQPpdEMVShBzinP4>
Cc: "acme@ietf.org" <acme@ietf.org>, Martin Thomson <martin.thomson@gmail.com>, Jacob Hoffman-Andrews <jsha@eff.org>
Subject: Re: [Acme] Post-IETF-96 PRs
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Aug 2016 18:12:38 -0000

On Mon, Aug 08, 2016 at 09:53:07AM -0700, Richard Barnes wrote:
> On Sun, Aug 7, 2016 at 8:29 PM, Martin Thomson <martin.thomson@gmail.com>
> wrote:
> 
> > On 8 August 2016 at 12:39, Richard Barnes <rlb@ipv.sx> wrote:
> > > So I'm honestly not that convinced that we need versioning at all here.
> > > Maybe we could get away with just versioning the directory?  (As I think
> > the
> > > original issue proposed :) )
> >
> >
> > I believe that it was PHB who requested this originally, the rationale
> > being that you might create a new version of the same resource/request
> > that looked similar, but had different semantics.  Rather than rely on
> > having us (in all our possible future incarnations) not doing that, a
> > version indicator would make signatures invalid.
> >
> > If that is a requirement that you accept, then a much simpler scheme
> > than the one you wrote up is possible.  Versioning the directory isn't
> > sufficient to achieve that goal though.  The first part of your PR
> > would work though: include a version, and require that it be checked.
> >
> 
> Looking at the minutes from Berlin...
> 
> "RLB: do we need both server and client versions? MT: sure"
> 
> :)
> 
> I'm not sure we can get away without any server versioning.  The server
> needs some way to signal support, even if it's only in an error message.
> 
> Again, I'm not totally convinced that semantic mismatches are that big a
> deal.  The "url" parameter already scopes the signed object to a specific
> resource, so the only risk would be if that specific resource accepts
> different object formats that are confusable with one another.  You need
> some signal to disambiguate, but it's not clear to me that having one big
> version is the best solution.

FWIW, we did have that situation when the "delete":true flag was added
to the -02 "resource":"reg" object - in that Boulder 'successfully' did
something quite different by not implementing that flag if a client
tried to use it ...

But I do agree that sort of thing can be mitigated with some careful
thought about whether we can safely ever extend objects like that or
not.  And if we can't, by implementing a new object or resource that
does have the desired semantics.

This is JSON, we can trivially rename things in expressive ways if
needed.  Unlike a bit-starved binary format where you could only spare
a few bits for a 'version number' to tell you that the otherwise
unlabelled byte 4 still means what you previously thought it did.

v2.23.0 | Report a Bug | By Email