[Trans] Some comments on the Web Service part

Phillip Hallam-Baker <hallam@gmail.com> Wed, 05 March 2014 18:41 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 911111A0183 for <trans@ietfa.amsl.com>; Wed, 5 Mar 2014 10:41:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zcwpZSu9kPQV for <trans@ietfa.amsl.com>; Wed, 5 Mar 2014 10:41:25 -0800 (PST)
Received: from mail-lb0-x230.google.com (mail-lb0-x230.google.com [IPv6:2a00:1450:4010:c04::230]) by ietfa.amsl.com (Postfix) with ESMTP id 769501A0072 for <trans@ietf.org>; Wed, 5 Mar 2014 10:41:25 -0800 (PST)
Received: by mail-lb0-f176.google.com with SMTP id 10so974623lbg.21 for <trans@ietf.org>; Wed, 05 Mar 2014 10:41:21 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=cXzPX8CLeZX5QbT5APWnVzHGP8+K0He2+sLXxj/2l4k=; b=a5/J7R4N4cXTWA8P4KfIUCDR9w0PFKMlNnzSSJHO2t/0jGy3E4gZwbqI8TZ1nBH8Cn B93w+pcDfRwjKXlZ4E24a1028cH7tqNkqS9bjmewaPEiKsSFPBLNNBmjr8vZNdEV/ots mf7IXhN+X6NqKDaGCC7oQG22h/L9P0lC8qk+LKktIxP+EJQjYEbYJ6AN7j1erye5w4ez /dV+QpWzZIYMiQryPn29CYhgKJ6DCZQBJQYwkR5+XzMGLSjBfdSpFdmczbDxLMXlQ3ky 59wHaT3HBPAlV8YRlSzwUznefyIoomP/bW9uxjO5+tjJzLCRhx7qstPs94haYA3R/tWq jEIw==
MIME-Version: 1.0
X-Received: by 10.112.181.232 with SMTP id dz8mr2575905lbc.46.1394044881208; Wed, 05 Mar 2014 10:41:21 -0800 (PST)
Received: by 10.112.37.168 with HTTP; Wed, 5 Mar 2014 10:41:21 -0800 (PST)
Date: Wed, 05 Mar 2014 18:41:21 +0000
Message-ID: <CAMm+LwipgTevGFqs0PphNTpn=1ZZgSjVVvMe2Srco4JN8F_fQg@mail.gmail.com>
From: Phillip Hallam-Baker <hallam@gmail.com>
To: "trans@ietf.org" <trans@ietf.org>
Content-Type: multipart/alternative; boundary="001a11c36c8af20d8a04f3e05dc7"
Archived-At: http://mailarchive.ietf.org/arch/msg/trans/abgVxEbUUxZvFp3Wpbdh0BGFcO4
Subject: [Trans] Some comments on the Web Service part
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Mar 2014 18:41:27 -0000

1) This is a specified service, shouldn't it be registered as a .well-known
service?

http://example.com/.well-known/ct/1

This means that the CT log can play nice with other services on the same
server.

(obviously have to replace ct with what we register)


2) The command should be present in the JSON request.

HTTP request lines are hard to protect with message level authentication.
Putting the command in the content means that it is covered independently.

Reason this matters is that the request line and headers tend to get
'battered' as they pass through enterprise scale web traffic management
systems. The same is true of TLS authentication that tends to get stripped
out at the front door by some sort of message router.




-- 
Website: http://hallambaker.com/