Re: [Trans] Some comments on the Web Service part

Eran Messeri <> Thu, 06 March 2014 11:29 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id B22B41A0272 for <>; Thu, 6 Mar 2014 03:29:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.925
X-Spam-Status: No, score=-1.925 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.547, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id i1lWjPKeHmai for <>; Thu, 6 Mar 2014 03:29:54 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4003:c02::232]) by (Postfix) with ESMTP id 9F6D81A01C9 for <>; Thu, 6 Mar 2014 03:29:54 -0800 (PST)
Received: by with SMTP id i7so2429278oag.37 for <>; Thu, 06 Mar 2014 03:29:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=kb5Vrr6fqmLWPjdELOyKsjaL44IFWId072jGbof2fe0=; b=GS9S+CN9+ZMEz5ZiIQLMUbQPf+i48f5EXVf9xui0oFX+i99c6ENRb9u+STqjPIMixi ic8kOwrEV3ayJo11IbDYAc9rQreq3Ud2ePLiqilND5V5Cf7FaEDYKhyVhpfVoDGE8fmO bqvCaEEBu05CF4gDpvyWKeue2y2s1R0pe00H+yyR/NKvudwzVjyOnGca/SfI8YcxL9Cg +XdXP3gPzxsjEq1ZMqzNMDHfWIVvRoXefCB1/BZgV8xmM6hzBtGlaaV8ESTf9OAK0GIm iZFW2k7+Uw/ASU3TGvQi8ABXgtWFA/+FK5ov4RWew1jkHc0bjNVywFLtub9192gSCfUM S4gg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=kb5Vrr6fqmLWPjdELOyKsjaL44IFWId072jGbof2fe0=; b=Em22HJo6zt0nA5UCthBXJCr/evH5DsjF+AzcA0YxJcCu6dS1zdg01k5RublKt245zM +z83Pwa1+SZ5UfmYre42iK9BUZKcUFveqtbfTaJy+48UF01JlDHlnVaW2h/NlELtQ9A9 6U357sN8I8Hp3NniXsuSjTbb1pbkv4ur5rPKEbRXWV9p6jGywKNRQV7P16zV86W4fWxk 1o58X3JOqZPVj7DIOtNBX6ihkYqQfTFAw/V3yJHg9W4CqTApvvZFMa7dZXmWJ5VAn8a5 JisLUbVjjvcgX3pcYMPAZVOHjWV6m1VNI1uioFLSniOf3qtVgYMa1zZvIuEejODYnrpa uD4w==
X-Gm-Message-State: ALoCoQl5MMz4x6kmQp3MpcfWNIzOi7Rh0QvgPqAyXzlr52Sj+VGsMPAJ029Me6pjjTFE7j39J8+nYHb+mYgN4rBpYaPqwnO9Viw6pL+aN/EeuT/cEi2DQIa2sKic1NdiT20lT3eWgRibAv3ewMAxK2DgQI3XQsIDV3aZ+Vqsp26kENvRGi1YQlbhABQedN1KnZEJgLjVGmn2
MIME-Version: 1.0
X-Received: by with SMTP id m4mr5244810oev.8.1394105390637; Thu, 06 Mar 2014 03:29:50 -0800 (PST)
Received: by with HTTP; Thu, 6 Mar 2014 03:29:50 -0800 (PST)
In-Reply-To: <>
References: <>
Date: Thu, 06 Mar 2014 11:29:50 +0000
Message-ID: <>
From: Eran Messeri <>
To: Phillip Hallam-Baker <>
Content-Type: multipart/alternative; boundary="001a1135f1b096d94604f3ee741f"
Cc: "" <>
Subject: Re: [Trans] Some comments on the Web Service part
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 06 Mar 2014 11:29:56 -0000

On Wed, Mar 5, 2014 at 6:41 PM, Phillip Hallam-Baker <>wrote:

> 1) This is a specified service, shouldn't it be registered as a
> .well-known service?
> This means that the CT log can play nice with other services on the same
> server.
> (obviously have to replace ct with what we register)
Could you please point to the standard specifying how these well-known
services are defined?
Regardless, it seems to be independent of the commands specification that a
CT log must conform to.
The Google-managed logs have an address that conforms with the rest of the
HTTP APIs Google offers. We technically could offer, if it provides strong benefit.
Since we expect few, well-known logs, I can't see the benefit in
registering it as well-known service since very few domains are expected to
offer it (i.e. there is no benefit it making it easily discoverable).

> 2) The command should be present in the JSON request.
> Do you mean this as an addition or instead of specifying the command in
the request line?
Is there a specific web traffic management system that you know/expect to
cause problem?

> HTTP request lines are hard to protect with message level authentication.
> Putting the command in the content means that it is covered independently.
> Reason this matters is that the request line and headers tend to get
> 'battered' as they pass through enterprise scale web traffic management
> systems. The same is true of TLS authentication that tends to get stripped
> out at the front door by some sort of message router.
> --
> Website:
> _______________________________________________
> Trans mailing list