Re: [Acme] Adam Roach's Discuss on draft-ietf-acme-acme-14: (with DISCUSS and COMMENT)
Felix Fontein <felix@fontein.de> Thu, 30 August 2018 13:49 UTC
Return-Path: <felix@fontein.de>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F3BD0130E85 for <acme@ietfa.amsl.com>; Thu, 30 Aug 2018 06:49:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (4096-bit key) header.d=fontein.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HQKGjS81xj2e for <acme@ietfa.amsl.com>; Thu, 30 Aug 2018 06:48:59 -0700 (PDT)
Received: from fontein.de (fontein.de [IPv6:2001:1680:101:2a::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BC48B130E6F for <acme@ietf.org>; Thu, 30 Aug 2018 06:48:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=fontein.de; s=20160508; h=References:In-Reply-To:Subject:To:From:Date:Cc; bh=TosskQRe3SXUibOZS0zHEX3v8gSCl+G1VV9K+3cqL8c=; b=pxbzy5TLDKzLREkrRZRihnXmD1 WCMQLNtVGNgGtk38r22h6NLzbpIzEphQqiVI4ZFg6JKAxmi8o72a0TDyA8ZumEv8n0Nz1o6jso8wZ dFvN7rsXkzDRGp5L99XDfC3tSjlSI/BBvwCSchnqtvrMC7K03HrIp8SRm/FEw6EaUGt8sAAacbIob Tiwt6PA+xl/Cn/16EFcpHCmA674cS1vE1/xtbcIGj1ASKgjsyEtyE1sfoupLQ5/4rlHwqPyeQKqKP C2RPpkZoEaejvNdZRoOT0ctwQmwP0P1zxTKLsOrthWc7Aytv1yGleYtnEdLmYfGogat2yWLs/OjuQ roH9ssG29S4lbhrLIM69aejDh9tGKFirRa/cRZZz7atTL+qPe3nmUE9PsiYJhxSfKYL1SkPtGDJXM g/3PNHUpPHTEsI4udkxxNl1Q1js9ilShppIpoeyiu32AyUuwbMg0O83JWIkZaEPXHn2xv2hBtBWsg DER+Mr7ROTNdANdpYm+n4BOV8ZS8qpDwVPJtoRh3GujYWe6QH5Ib+mF8KaHO3i6uW18KWTiE3RNDF 9DsAx0inb/xkOcGgfzhJH8Hu885fbhXTT/PfzeoA1qdetlSEddiRSPmuis7uTe+coywUvooDmzdJt ZSrzS8mXDbwt1pCscex6XqnKqGeTGZslrAiq0Gfz0=;
Received: from 80-218-21-15.dclient.hispeed.ch ([80.218.21.15] helo=rovaniemi) by fontein.de with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim) (envelope-from <felix@fontein.de>) id 1fvNJg-0003aj-Da for acme@ietf.org; Thu, 30 Aug 2018 15:48:57 +0200
Date: Thu, 30 Aug 2018 15:48:50 +0200
From: Felix Fontein <felix@fontein.de>
To: acme@ietf.org
Message-ID: <20180830154850.21a82df5@rovaniemi>
In-Reply-To: <8b419e1e-1bea-a1c3-159f-ad049a6c113e@nostrum.com>
References: <153560463159.14901.5253843942494748934.idtracker@ietfa.amsl.com> <CAL02cgS0_d5qfraPoN2rmrZ9qGqmVdGdHu_a8knNkFcD1kcwpQ@mail.gmail.com> <8b419e1e-1bea-a1c3-159f-ad049a6c113e@nostrum.com>
X-Mailer: Claws Mail 3.17.1 (GTK+ 2.24.32; x86_64-pc-linux-gnu)
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Spam_score: -2.9
X-Spam_score_int: -28
X-Spam_bar: --
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/xgkpqxsDwl5umGJpJOiZtGeR9ZA>
Subject: Re: [Acme] Adam Roach's Discuss on draft-ietf-acme-acme-14: (with DISCUSS and COMMENT)
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Aug 2018 13:49:02 -0000
Hello, > On 8/30/18 7:55 AM, Richard Barnes wrote: > > Focusing on DISCUSS comment for now, will pick up COMMENTs later. > > > > On your DISCUSS, I think you're off on a couple of small things > > > Yeah, I woke up with the sudden realization that I'd had the wrong > model in my head when I talked through the cert endpoint. All that's > there is a signed public cert rather than a public/private pair, so > it's not sensitive. what happens if the cert URL is not https://example.com/acme/cert/somerandomlookingidentifier, but https://example.com/acme/acct/2/order/1/cert? Then someone can still do identification correlation when the certificate can be downloaded without authentication. Cheers, Felix > > , but right on the underlying point that the document doesn't > > really provide any guidance as to which resources a server should > > consider sensitive. I agree that it would be good to say more, and > > I've started up a PR for this. > > > > https://github.com/ietf-wg-acme/acme/pull/443 > > > Thanks -- that fixes the text I cite. > > > > > > I don't agree that sensitivity entails a need for non-guessable > > URLs. If accessing the URL requires authentication, then it doesn't > > matter if someone can guess it; unauthorized people can't access it > > even if they can guess it. I guess you could argue that if you > > made a random URL and only distributed it in authenticated > > channels, then you could allow GETs to it, using the URL itself as > > an authenticator. But that seems super brittle; I would rather > > just have all the authentication be based on signing. So at best, > > random URLs are a backstop against a CA making the wrong decision > > about GETs. > > > Yup, that seems better. > > > > > > You're also correct to note that some resources might be sensitive > > that we now instruct clients to poll with GETs. For example, the > > client is supposed to poll an authorization resource to see when it > > validates, but if the authz has a TN in it and so is considered > > sensitive, you won't be able to do a GET. I think the right answer > > here is to have the server return 405 Method Not Allowed if it gets > > a GET and have the client fall back to an authenticated "POST {}", > > which should be equivalent to a GET in all cases. > > > That seems like a good clarification. The one remaining issue is the > table at the bottom of §7.1, which shows GETs for resources that the > new text says CAs might consider sensitive. I catch the "might" in > that sentence, but it seems that identification correlation is a > pretty powerful privacy leak, and would strongly suggest that the > table be revised to show POSTs for retrieval of order resources. > Whether you take this suggestion is up to you -- I'll clear my > DISCUSS either way. > > /a
- [Acme] Adam Roach's Discuss on draft-ietf-acme-ac… Adam Roach
- Re: [Acme] Adam Roach's Discuss on draft-ietf-acm… Richard Barnes
- Re: [Acme] Adam Roach's Discuss on draft-ietf-acm… Adam Roach
- Re: [Acme] Adam Roach's Discuss on draft-ietf-acm… Felix Fontein
- Re: [Acme] Adam Roach's Discuss on draft-ietf-acm… Salz, Rich
- Re: [Acme] Adam Roach's Discuss on draft-ietf-acm… Adam Roach
- Re: [Acme] Adam Roach's Discuss on draft-ietf-acm… Richard Barnes
- Re: [Acme] Adam Roach's Discuss on draft-ietf-acm… Salz, Rich
- Re: [Acme] Adam Roach's Discuss on draft-ietf-acm… Felipe Gasper
- Re: [Acme] Adam Roach's Discuss on draft-ietf-acm… Richard Barnes
- Re: [Acme] Adam Roach's Discuss on draft-ietf-acm… Fossati, Thomas (Nokia - GB/Cambridge)
- Re: [Acme] Adam Roach's Discuss on draft-ietf-acm… Richard Barnes
- Re: [Acme] Adam Roach's Discuss on draft-ietf-acm… Richard Barnes