IETF Logo Mail Archive

Re: [Trans] Directory instead of .well-known for URL structure

"Manger, James" <James.H.Manger@team.telstra.com> Wed, 26 June 2019 03:01 UTC

Return-Path: <James.H.Manger@team.telstra.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 67E0A1204C2 for <trans@ietfa.amsl.com>; Tue, 25 Jun 2019 20:01:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=team.telstra.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8u1anwLKomAb for <trans@ietfa.amsl.com>; Tue, 25 Jun 2019 20:01:05 -0700 (PDT)
Received: from ipxdvo.tcif.telstra.com.au (ipxdvo.tcif.telstra.com.au [203.35.135.212]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 08E75120486 for <trans@ietf.org>; Tue, 25 Jun 2019 20:01:03 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="5.63,418,1557151200"; d="scan'208,217";a="165381803"
X-Amp-Result: SKIPPED(no attachment in message)
Received: from unknown (HELO ipcavi.tcif.telstra.com.au) ([10.97.217.200]) by ipodvi.tcif.telstra.com.au with ESMTP; 26 Jun 2019 13:01:00 +1000
Received: from wsmsg3701.srv.dir.telstra.com ([172.49.40.169]) by ipcavi.tcif.telstra.com.au with ESMTP; 26 Jun 2019 13:01:00 +1000
Received: from wsapp5873.srv.dir.telstra.com (10.75.11.109) by wsmsg3701.srv.dir.telstra.com (172.49.40.169) with Microsoft SMTP Server (TLS) id 8.3.485.1; Wed, 26 Jun 2019 13:01:00 +1000
Received: from wsapp5584.srv.dir.telstra.com (10.75.131.20) by wsapp5873.srv.dir.telstra.com (10.75.11.109) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Wed, 26 Jun 2019 13:00:59 +1000
Received: from AUS01-ME1-obe.outbound.protection.outlook.com (10.172.229.126) by wsapp5584.srv.dir.telstra.com (10.75.131.20) with Microsoft SMTP Server (TLS) id 15.0.1395.4 via Frontend Transport; Wed, 26 Jun 2019 13:00:58 +1000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=team.telstra.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=CEbmCJ/AErvKw2DLVR6fEc/xjHAqL60rG3UD8AiRBWM=; b=iBtOc8Ui1yhSO0methglAeg0uGMGMGDdbqNFhz3JgJT1wSKo7Hf+jSla6+WcIAQdwKOhhhfIL7MHoWP4Ziu9JP+K1Q4jHMK717TLYoZ2mfOKm7z/2EmHAbEczH1EeMnf+pPGcX8t0M0FU+irIlPQklSLj1PsfEUNfsSSq7A3XMM=
Received: from SY2PR01MB2764.ausprd01.prod.outlook.com (52.134.190.138) by SY2PR01MB2554.ausprd01.prod.outlook.com (52.134.187.147) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2008.17; Wed, 26 Jun 2019 03:00:58 +0000
Received: from SY2PR01MB2764.ausprd01.prod.outlook.com ([fe80::ad81:55b8:5070:b4a6]) by SY2PR01MB2764.ausprd01.prod.outlook.com ([fe80::ad81:55b8:5070:b4a6%7]) with mapi id 15.20.2008.014; Wed, 26 Jun 2019 03:00:58 +0000
From: "Manger, James" <James.H.Manger@team.telstra.com>
To: Eran Messeri <eranm=40google.com@dmarc.ietf.org>
CC: Rob Stradling <rob@sectigo.com>, "trans@ietf.org" <trans@ietf.org>
Thread-Topic: [Trans] Directory instead of .well-known for URL structure
Thread-Index: AQHVJ7hG+ux4uZr19UqDBEb3y0EQUaap50UAgAAKWICAAO2VgIAAqeKwgACkWgCAAQcwwA==
Date: Wed, 26 Jun 2019 03:00:57 +0000
Message-ID: <SY2PR01MB27644A19071F56C0DBCC69ADE5E20@SY2PR01MB2764.ausprd01.prod.outlook.com>
References: <0d5e05fc-8f1e-54b5-536d-231153e7baf7@eff.org> <48a31dcd-71d9-42c8-9ec3-6104939a59ab@www.fastmail.com> <7161898d-a58d-1625-a041-2e93961e71a2@gmail.com> <f03a2bc2-9058-bafd-37a1-50a1fd5d02d2@sectigo.com> <SY2PR01MB27648842CD64DFBC3E9E3205E5E30@SY2PR01MB2764.ausprd01.prod.outlook.com> <CALzYgEf8GZY8UPr2K3iCYuxJKqVsx1EHJiPuZkKEJJyhRy8bug@mail.gmail.com>
In-Reply-To: <CALzYgEf8GZY8UPr2K3iCYuxJKqVsx1EHJiPuZkKEJJyhRy8bug@mail.gmail.com>
Accept-Language: en-AU, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
dlp-product: dlpe-windows
dlp-version: 11.1.100.23
dlp-reaction: no-action
authentication-results: spf=none (sender IP is ) smtp.mailfrom=James.H.Manger@team.telstra.com;
x-originating-ip: [203.35.9.18]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 356adc22-0a65-498d-770d-08d6f9e2835f
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:SY2PR01MB2554;
x-ms-traffictypediagnostic: SY2PR01MB2554:
x-ms-exchange-purlcount: 4
x-microsoft-antispam-prvs: <SY2PR01MB2554929D2AF29362F60F9057E5E20@SY2PR01MB2554.ausprd01.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 00808B16F3
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(376002)(136003)(39860400002)(366004)(346002)(396003)(13464003)(199004)(189003)(6306002)(54896002)(236005)(55016002)(53936002)(6246003)(316002)(6436002)(9686003)(52536014)(6116002)(54906003)(476003)(446003)(11346002)(3846002)(2906002)(790700001)(478600001)(71190400001)(73956011)(66946007)(76116006)(71200400001)(14444005)(256004)(486006)(66446008)(66476007)(66556008)(64756008)(72206003)(561944003)(186003)(7696005)(86362001)(74316002)(81156014)(8676002)(76176011)(81166006)(14454004)(99286004)(966005)(25786009)(53546011)(6506007)(26005)(33656002)(102836004)(68736007)(66066001)(606006)(229853002)(5660300002)(7736002)(4326008)(8936002)(142923001); DIR:OUT; SFP:1102; SCL:1; SRVR:SY2PR01MB2554; H:SY2PR01MB2764.ausprd01.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:0; MX:1;
received-spf: None (protection.outlook.com: team.telstra.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: s/mKJczzrXL912tQLIopiOM60num5ZgxytYpPzf4hnSSoe7qfqxs8ToUxQgwNSDTXX/a/kC6fRL92WqbsOMtFubuR4MvNMlUHq0drpDdSPan8PW00TK6XJNbWJLk95SB65V9dTOQvb73MFK31+4X2jIFrRNWoUftzRF2HPNqnvvtSTiujL0o8nkNi/dq/O1NKhgTC3dwFHe8F5TH9eOZ0szR2Y4UEErE1dA7YQO6Sc8VxF5FPQoDEESiYyxpe9kPsIyseD2oR3CC6AvAjbBeYpC10VziFbWksdhKRempHS/tZoFuNjbhl3iWXqCmw4sqv+jbzaGPBsIbmVe8nLH7/QK0bNEGdXKraO9u8a6ROO2Hc3CtQLGtl0vWKjtuIvbZleWeu45jFZ15F+Cj0Vfx2HtqqfpQM8ZdIPHiW4sj2Uw=
Content-Type: multipart/alternative; boundary="_000_SY2PR01MB27644A19071F56C0DBCC69ADE5E20SY2PR01MB2764ausp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 356adc22-0a65-498d-770d-08d6f9e2835f
X-MS-Exchange-CrossTenant-originalarrivaltime: 26 Jun 2019 03:00:57.9941 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 49dfc6a3-5fb7-49f4-adea-c54e725bb854
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: James.H.Manger@team.telstra.com
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SY2PR01MB2554
X-OriginatorOrg: team.telstra.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/trans/PVjys-i2ZDTrXsTVZkIHUxFk614>
Subject: Re: [Trans] Directory instead of .well-known for URL structure
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Jun 2019 03:01:11 -0000

I meant a single template to cover all possible actions.

It is easy to define a single template for the current API for a log that uses the query string for the parameters (the “obvious” design), as the example shows:
https://log.example.net/ct/v2/red/{action}{?first}{?second}{?hash}{?start}{?end}<https://log.example.net/ct/v2/red/%7Baction%7D%7B?first%7D%7B?second%7D%7B?hash%7D%7B?start%7D%7B?end%7D>

It is still easy to write a single template that uses path segments for parameters, or a mix of path segments and the query string. Example:
https://log.example.net/ct/v2/red/{action}{/hash}{?first}{?second}{?start}{?end}<https://log.example.net/ct/v2/red/%7baction%7d%7b/hash%7d%7b?first%7d%7b?second%7d%7b?start%7d%7b?end%7d>

Some funky URL designs will not be possible with a single template (eg start & end in a single path segment separated by a hyphen, only for those actions needing those parameters). Other URL designs will work but be a bit messy (eg ?h={hash} to use “h” not “hash” as the query parameter name results in an extra empty param on actions that don’t take a hash).

The RFC6962 and draft-ietf-trans-rfc6962-bis templates don’t comply with BCP190 as they require:
1. An app-specific path (eg /ct/v1), even though it is only after a log-chosen prefix;
2. App-specific ‘action’ values must go into a path segment (eg /get-sth-consistency); and
3. App-specific parameters must go into the query string (eg ?first=20&second=30).

A single template allows a log to put the app-specific variables all in the query string, all in the path, or a mix. That is sufficient for all practical purposes, with minimal overhead. That is enough flexibility to satisfy BCP190 in my opinion, particularly given that every log will use the “obvious” design anyway.

A directory with a separate template for every action is a more pure design: it gives a log total flexibility in URL design; and is easily extendable if the log API gets far more complex in future. At the cost of extra calls & code to read, parse, and process the directory.

--
James Manger

From: Trans <trans-bounces@ietf.org> On Behalf Of Eran Messeri
Sent: Tuesday, 25 June 2019 8:12 PM
To: Manger, James <James.H.Manger@team.telstra.com>
Cc: Rob Stradling <rob@sectigo.com>; trans@ietf.org
Subject: Re: [Trans] Directory instead of .well-known for URL structure

Can you clarify if you mean a single template to cover all possible actions or separate one for each action?

The former would, I think, be tricky to define as different actions have different parameters.
The latter is what we had, and is not in compliance with BCP190.

Either way, the issue here is compliance with BCP190, so if your proposal is in compliance with BCP190 it's worth highlighting why (as it's not clear to me personally).

Thanks,
Eran

On Tue, Jun 25, 2019 at 1:45 AM Manger, James <James.H.Manger@team.telstra.com<mailto:James.H.Manger@team.telstra.com>> wrote:
Would it be sufficient to provide a URL template for each log, instead of a directory URL?
Possible text:

  The address of a log is defined by a URL template [RFC6570] that MUST include
  the following variables: action, first, second, hash, start, end.

  'action' identifies the client message, such as 'submit-entry' or 'get-sth'.
  'first' and 'second' are tree sizes. 'hash' is a base64-encoded v2 leaf hash.
  'start' and 'end' are 0-based entry indicies.

  Example: https://log.example.net/ct/v2/red/{action}{?first}{?second}{?hash}{?start}{?end}<https://log.example.net/ct/v2/red/%7Baction%7D%7B?first%7D%7B?second%7D%7B?hash%7D%7B?start%7D%7B?end%7D>

--
James Manger

-----Original Message-----
From: Trans <trans-bounces@ietf.org<mailto:trans-bounces@ietf.org>> On Behalf Of Rob Stradling
Sent: Tuesday, 25 June 2019 12:16 AM
To: Melinda Shore <melinda.shore@gmail.com<mailto:melinda.shore@gmail.com>>; trans@ietf.org<mailto:trans@ietf.org>
Subject: Re: [Trans] Directory instead of .well-known for URL structure

This sounds unanimous.  :-)

I'll go ahead and make this change, and I'll cancel the registration process for "ct" as a .well-known URI suffix.

On 24/06/2019 01:05, Melinda Shore wrote:
> On 6/23/19 3:28 PM, Martin Thomson wrote:
>> I agree with Jacob here. As I have expressed in the past, I believe
>> that this is a better design than the well-known prefix.
>
>> On Fri, Jun 21, 2019, at 08:33, Jacob Hoffman-Andrews wrote:
>>> The latest draft adopts a /.well-known/ path for CT as a way to get
>>>   around BCP 190 (URI Design and Ownership:
>>> https://tools.ietf.org/html/bcp190#section-3).
>>>
>>> Personally I think BCP 190 makes it needlessly painful to specify
>>> HTTP-based APIs using techniques that are very common among
>>> practitioners. However, given that it is still considered best
>>> practice for IETF documents, I propose that CT should use a
>>> different workaround, one used very successfully by ACME: Directory
>>> URLs.
>
> I have a fairly profound dislike for BCP 190, to be honest, and am in
> agreement with the proposal.
>
> Melinda
>

--
Rob Stradling
Senior Research & Development Scientist
Email: rob@sectigo.com<mailto:rob@sectigo.com>
Bradford, UK
Office: +441274024707
Sectigo Limited

This message and any files associated with it may contain legally privileged, confidential, or proprietary information. If you are not the intended recipient, you are not permitted to use, copy, or forward it, in whole or in part without the express consent of the sender. Please notify the sender by reply email, disregard the foregoing messages, and delete it immediately.
_______________________________________________
Trans mailing list
Trans@ietf.org<mailto:Trans@ietf.org>
https://www.ietf.org/mailman/listinfo/trans

_______________________________________________
Trans mailing list
Trans@ietf.org<mailto:Trans@ietf.org>
https://www.ietf.org/mailman/listinfo/trans

v2.23.0 | Report a Bug | By Email