Return-Path: X-Original-To: trans@ietfa.amsl.com Delivered-To: trans@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B22B41A0272 for ; Thu, 6 Mar 2014 03:29:56 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.925 X-Spam-Level: X-Spam-Status: No, score=-1.925 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.547, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id i1lWjPKeHmai for ; Thu, 6 Mar 2014 03:29:54 -0800 (PST) Received: from mail-oa0-x232.google.com (mail-oa0-x232.google.com [IPv6:2607:f8b0:4003:c02::232]) by ietfa.amsl.com (Postfix) with ESMTP id 9F6D81A01C9 for ; Thu, 6 Mar 2014 03:29:54 -0800 (PST) Received: by mail-oa0-f50.google.com with SMTP id i7so2429278oag.37 for ; Thu, 06 Mar 2014 03:29:50 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=kb5Vrr6fqmLWPjdELOyKsjaL44IFWId072jGbof2fe0=; b=GS9S+CN9+ZMEz5ZiIQLMUbQPf+i48f5EXVf9xui0oFX+i99c6ENRb9u+STqjPIMixi ic8kOwrEV3ayJo11IbDYAc9rQreq3Ud2ePLiqilND5V5Cf7FaEDYKhyVhpfVoDGE8fmO bqvCaEEBu05CF4gDpvyWKeue2y2s1R0pe00H+yyR/NKvudwzVjyOnGca/SfI8YcxL9Cg +XdXP3gPzxsjEq1ZMqzNMDHfWIVvRoXefCB1/BZgV8xmM6hzBtGlaaV8ESTf9OAK0GIm iZFW2k7+Uw/ASU3TGvQi8ABXgtWFA/+FK5ov4RWew1jkHc0bjNVywFLtub9192gSCfUM S4gg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=kb5Vrr6fqmLWPjdELOyKsjaL44IFWId072jGbof2fe0=; b=Em22HJo6zt0nA5UCthBXJCr/evH5DsjF+AzcA0YxJcCu6dS1zdg01k5RublKt245zM +z83Pwa1+SZ5UfmYre42iK9BUZKcUFveqtbfTaJy+48UF01JlDHlnVaW2h/NlELtQ9A9 6U357sN8I8Hp3NniXsuSjTbb1pbkv4ur5rPKEbRXWV9p6jGywKNRQV7P16zV86W4fWxk 1o58X3JOqZPVj7DIOtNBX6ihkYqQfTFAw/V3yJHg9W4CqTApvvZFMa7dZXmWJ5VAn8a5 JisLUbVjjvcgX3pcYMPAZVOHjWV6m1VNI1uioFLSniOf3qtVgYMa1zZvIuEejODYnrpa uD4w== X-Gm-Message-State: ALoCoQl5MMz4x6kmQp3MpcfWNIzOi7Rh0QvgPqAyXzlr52Sj+VGsMPAJ029Me6pjjTFE7j39J8+nYHb+mYgN4rBpYaPqwnO9Viw6pL+aN/EeuT/cEi2DQIa2sKic1NdiT20lT3eWgRibAv3ewMAxK2DgQI3XQsIDV3aZ+Vqsp26kENvRGi1YQlbhABQedN1KnZEJgLjVGmn2 MIME-Version: 1.0 X-Received: by 10.60.73.164 with SMTP id m4mr5244810oev.8.1394105390637; Thu, 06 Mar 2014 03:29:50 -0800 (PST) Received: by 10.182.142.198 with HTTP; Thu, 6 Mar 2014 03:29:50 -0800 (PST) In-Reply-To: References: Date: Thu, 6 Mar 2014 11:29:50 +0000 Message-ID: From: Eran Messeri To: Phillip Hallam-Baker Content-Type: multipart/alternative; boundary=001a1135f1b096d94604f3ee741f Archived-At: http://mailarchive.ietf.org/arch/msg/trans/WqsDoXExStYGmtP9RZXWtGXJJjE Cc: "trans@ietf.org" Subject: Re: [Trans] Some comments on the Web Service part X-BeenThere: trans@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Public Notary Transparency working group discussion list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Mar 2014 11:29:56 -0000 --001a1135f1b096d94604f3ee741f Content-Type: text/plain; charset=UTF-8 On Wed, Mar 5, 2014 at 6:41 PM, Phillip Hallam-Baker wrote: > 1) This is a specified service, shouldn't it be registered as a > .well-known service? > > http://example.com/.well-known/ct/1 > > This means that the CT log can play nice with other services on the same > server. > > (obviously have to replace ct with what we register) > Could you please point to the standard specifying how these well-known services are defined? Regardless, it seems to be independent of the commands specification that a CT log must conform to. The Google-managed logs have an address that conforms with the rest of the HTTP APIs Google offers. We technically could offer https://ct.googleapis.com/.well-known/..., if it provides strong benefit. Since we expect few, well-known logs, I can't see the benefit in registering it as well-known service since very few domains are expected to offer it (i.e. there is no benefit it making it easily discoverable). > > > 2) The command should be present in the JSON request. > > Do you mean this as an addition or instead of specifying the command in the request line? Is there a specific web traffic management system that you know/expect to cause problem? > HTTP request lines are hard to protect with message level authentication. > Putting the command in the content means that it is covered independently. > > Reason this matters is that the request line and headers tend to get > 'battered' as they pass through enterprise scale web traffic management > systems. The same is true of TLS authentication that tends to get stripped > out at the front door by some sort of message router. > > > > > -- > Website: http://hallambaker.com/ > > _______________________________________________ > Trans mailing list > Trans@ietf.org > https://www.ietf.org/mailman/listinfo/trans > > --001a1135f1b096d94604f3ee741f Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable



On Wed, Mar 5, 2014 at 6:41 PM, Phillip Hallam-Baker <hallam@gmail.= com> wrote:
1) This is a specified service, shouldn&#= 39;t it be registered as a .well-known service?


This means that the CT log can play nice with other ser= vices on the same server.

(obviously have to repla= ce ct with what we register)
Could you please = point to the standard specifying how these well-known services are defined?=
Regardless, it seems to be independent of the commands specification t= hat a CT log must conform to.=C2=A0
The Google-managed logs have = an address that conforms with the rest of the HTTP APIs Google offers. We t= echnically could offer=C2=A0https://ct.googleapis.com/.well-known/..., if it provides strong = benefit.
Since we expect few, well-known logs, I can't see the benefit in r= egistering it as well-known service since very few domains are expected to = offer it (i.e. there is no benefit it making it easily discoverable).


2) The= command should be present in the JSON request.

Do you mean this as an addition or i= nstead of specifying the command in the request line?=C2=A0
Is th= ere a specific web traffic management system that you know/expect to cause = problem?
=C2=A0
HTTP req= uest lines are hard to protect with message level authentication. Putting t= he command in the content means that it is covered independently.

Reason this matters is that the request line and header= s tend to get 'battered' as they pass through enterprise scale web = traffic management systems. The same is true of TLS authentication that ten= ds to get stripped out at the front door by some sort of message router.




--
Website:= http://hallambaker.c= om/

_______________________________________________
Trans mailing list
Trans@ietf.org
h= ttps://www.ietf.org/mailman/listinfo/trans


--001a1135f1b096d94604f3ee741f--