[Trans] Directory instead of .well-known for URL structure
Jacob Hoffman-Andrews <jsha@eff.org> Thu, 20 June 2019 22:33 UTC
Return-Path: <jsha@eff.org>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8E35B1201D7 for <trans@ietfa.amsl.com>; Thu, 20 Jun 2019 15:33:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.426
X-Spam-Level:
X-Spam-Status: No, score=-7.426 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.415, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=eff.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9oFEeVq7f0Eo for <trans@ietfa.amsl.com>; Thu, 20 Jun 2019 15:33:27 -0700 (PDT)
Received: from mail2.eff.org (mail2.eff.org [173.239.79.204]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BE8CF1202A5 for <trans@ietf.org>; Thu, 20 Jun 2019 15:33:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=eff.org; s=mail2; h=Content-Transfer-Encoding:Content-Type:MIME-Version:Date: Message-ID:Subject:From:To:Sender:Reply-To:Cc:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=KxC/Rp/WLMCB3w4M17ikPJqWaYdWcPsI3e8YCMBGiOs=; b=uHh733rjS7+vEhmBNJB9eYiiWe o1OUDaT2+U7qVNfDI/G8X8RRiRvMOFvtwwNZfMwW9Db+womxw8lIhlXaAeqFzgNB0XcLVEKtNOt1z +JqUJlKRolgYzCDfn0CMgc5RcTbOgJZrRHCzM+OYo2unCvvhYoaFSNF4JbHpDrQiRETs=;
Received: ; Thu, 20 Jun 2019 15:33:27 -0700
To: "trans@ietf.org" <trans@ietf.org>
From: Jacob Hoffman-Andrews <jsha@eff.org>
Message-ID: <0d5e05fc-8f1e-54b5-536d-231153e7baf7@eff.org>
Date: Thu, 20 Jun 2019 15:33:26 -0700
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.7.0
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/trans/_P51dDMy_-Mo3lojbijQPySv3q8>
Subject: [Trans] Directory instead of .well-known for URL structure
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Jun 2019 22:33:29 -0000
The latest draft adopts a /.well-known/ path for CT as a way to get around BCP 190 (URI Design and Ownership: https://tools.ietf.org/html/bcp190#section-3). Personally I think BCP 190 makes it needlessly painful to specify HTTP-based APIs using techniques that are very common among practitioners. However, given that it is still considered best practice for IETF documents, I propose that CT should use a different workaround, one used very successfully by ACME: Directory URLs. In ACME, a CA defines one URL, a Directory, which provides a JSON dictionary showing where to find the other URLs. For instance: $ curl https://acme-v01.api.letsencrypt.org/directory { "fUKGu3pAntw": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417", "key-change": "https://acme-v01.api.letsencrypt.org/acme/key-change", "meta": { "caaIdentities": [ "letsencrypt.org" ], "terms-of-service": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf", "website": "https://letsencrypt.org" }, "new-authz": "https://acme-v01.api.letsencrypt.org/acme/new-authz", "new-cert": "https://acme-v01.api.letsencrypt.org/acme/new-cert", "new-reg": "https://acme-v01.api.letsencrypt.org/acme/new-reg", "revoke-cert": "https://acme-v01.api.letsencrypt.org/acme/revoke-cert" } To use an ACME CA, rather than configuring a base URL, an ACME client configures a directory URL. All other URLs can be found by looking up fields in the directory. Adding a directory to rfc6962-bis provides the most minimally invasive way to satisfy BCP 190. Well-known URLs aren't really meant for this type of application. To quote RFC 5785 (https://tools.ietf.org/html/rfc5785#section-1.1): 1.1. Appropriate Use of Well-Known URIs There are a number of possible ways that applications could use Well- known URIs. However, in keeping with the Architecture of the World- Wide Web [W3C.REC-webarch-20041215], *well-known URIs are not intended** ** for general information retrieval or establishment of large URI** ** namespaces* on the Web. Rather, they are designed to facilitate discovery of information on a site when it isn't practical to use other mechanisms; for example, when discovering policy that needs to be evaluated before a resource is accessed, or when using multiple round-trips is judged detrimental to performance. As such, the well-known URI space was created with the expectation that it will be used to make site-wide policy information and other metadata available directly (if sufficiently concise), or provide references to other URIs that provide such metadata. (emphasis mine) Beyond that, requiring log operators to organize their log under /.well-known/ would pose unnecessary difficulties. Service providers intentionally restrict the /.well-known/ URL space. Depending on deployment model, log operators might have to bypass such restrictions or get special exemptions. Thanks, Jacob
- [Trans] Directory instead of .well-known for URL … Jacob Hoffman-Andrews
- Re: [Trans] Directory instead of .well-known for … Martin Thomson
- Re: [Trans] Directory instead of .well-known for … Melinda Shore
- Re: [Trans] Directory instead of .well-known for … Rob Stradling
- Re: [Trans] Directory instead of .well-known for … Manger, James
- Re: [Trans] Directory instead of .well-known for … Eran Messeri
- Re: [Trans] Directory instead of .well-known for … Manger, James
- Re: [Trans] Directory instead of .well-known for … Rob Stradling
- Re: [Trans] Directory instead of .well-known for … Andrew Ayer
- Re: [Trans] Directory instead of .well-known for … Tomas Gustavsson
- Re: [Trans] Directory instead of .well-known for … Rob Stradling
- Re: [Trans] Directory instead of .well-known for … Rob Percival
- Re: [Trans] Directory instead of .well-known for … Rob Stradling
- Re: [Trans] Directory instead of .well-known for … Eran Messeri
- Re: [Trans] Directory instead of .well-known for … Andrew Ayer
- Re: [Trans] Directory instead of .well-known for … Rob Stradling
- Re: [Trans] Directory instead of .well-known for … Eran Messeri
- Re: [Trans] Directory instead of .well-known for … Rob Stradling
- Re: [Trans] Directory instead of .well-known for … Jacob Hoffman-Andrews
- Re: [Trans] Directory instead of .well-known for … Andrew Ayer
- Re: [Trans] Directory instead of .well-known for … Ryan Sleevi