Re: [Trans] Directory instead of .well-known for URL structure
Rob Stradling <rob@sectigo.com> Tue, 02 July 2019 15:08 UTC
Return-Path: <rob@sectigo.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 39B7412011A for <trans@ietfa.amsl.com>; Tue, 2 Jul 2019 08:08:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=comodoca.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id USH8ypINzJ-d for <trans@ietfa.amsl.com>; Tue, 2 Jul 2019 08:08:00 -0700 (PDT)
Received: from NAM02-BL2-obe.outbound.protection.outlook.com (mail-eopbgr750075.outbound.protection.outlook.com [40.107.75.75]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8342F120118 for <trans@ietf.org>; Tue, 2 Jul 2019 08:08:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comodoca.onmicrosoft.com; s=selector1-comodoca-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=KjouB+YlReuMysCCd4IIlQ56eEm/tHc9Ge2LVUuNc+c=; b=jJb4aNyBN/MrE0eBeehNDTFpylJbqypDlFqnJluAYdNVlmFoHIdGvu0bSmhvew3btrXepLw9PlexpLcYRq2gpBbEVejx5qTLMpY7bxFZ3l4vN3oY2bIsOOdZJ1VuuCeOUckeR7mCFiUO5yKe0MNJAp/AIcjn8QuU5umvQXeVT5U=
Received: from DM5PR17MB1211.namprd17.prod.outlook.com (10.173.132.148) by DM5PR17MB1980.namprd17.prod.outlook.com (10.173.129.14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2032.20; Tue, 2 Jul 2019 15:07:57 +0000
Received: from DM5PR17MB1211.namprd17.prod.outlook.com ([fe80::b556:345c:94cf:7258]) by DM5PR17MB1211.namprd17.prod.outlook.com ([fe80::b556:345c:94cf:7258%6]) with mapi id 15.20.2032.019; Tue, 2 Jul 2019 15:07:57 +0000
From: Rob Stradling <rob@sectigo.com>
To: Andrew Ayer <agwa@andrewayer.name>, "trans@ietf.org" <trans@ietf.org>
Thread-Topic: [Trans] Directory instead of .well-known for URL structure
Thread-Index: AQHVJ7g3xV77fgqjj0ive+Voenofmqa2OUSAgAFHIIA=
Date: Tue, 02 Jul 2019 15:07:57 +0000
Message-ID: <2cbff182-7c7a-4c55-b2d2-a67f41dd7436@sectigo.com>
References: <0d5e05fc-8f1e-54b5-536d-231153e7baf7@eff.org> <20190701123701.b3ba6b44ef85a74da6209e64@andrewayer.name>
In-Reply-To: <20190701123701.b3ba6b44ef85a74da6209e64@andrewayer.name>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-clientproxiedby: LNXP265CA0059.GBRP265.PROD.OUTLOOK.COM (2603:10a6:600:5d::23) To DM5PR17MB1211.namprd17.prod.outlook.com (2603:10b6:3:8b::20)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=rob@sectigo.com;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [2a0e:ac00:25d:300:f68e:38ff:fe7a:a226]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: d0fa041d-05a5-4417-4742-08d6feff10bd
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:DM5PR17MB1980;
x-ms-traffictypediagnostic: DM5PR17MB1980:
x-ms-exchange-purlcount: 2
x-microsoft-antispam-prvs: <DM5PR17MB198081608BC8DCE8E729AB7DAAF80@DM5PR17MB1980.namprd17.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 008663486A
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(346002)(366004)(376002)(136003)(396003)(39850400004)(199004)(189003)(110136005)(25786009)(53546011)(478600001)(76176011)(102836004)(5660300002)(6306002)(6512007)(99286004)(386003)(316002)(66476007)(6506007)(68736007)(6486002)(66446008)(66556008)(64756008)(6436002)(73956011)(31686004)(229853002)(6246003)(52116002)(46003)(66946007)(476003)(486006)(446003)(11346002)(2616005)(305945005)(7736002)(81166006)(966005)(14454004)(2501003)(2906002)(36756003)(81156014)(31696002)(6116002)(14444005)(186003)(71190400001)(53936002)(8936002)(86362001)(71200400001)(256004)(8676002)(142923001); DIR:OUT; SFP:1101; SCL:1; SRVR:DM5PR17MB1980; H:DM5PR17MB1211.namprd17.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: sectigo.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: jvQTIViKY/gse1nIXas6TtEAo7rUYpwjRlfPg0qJN3Tp8WL4/+Ltmn0KtP5LXBlpgUWtd3UPfu60BSxl4UTzzGdIrUnzL98C21o7ASwqH9MjqfhHoVHhGoFzjmvV6xky8avsKl8C2Ch5wKvkO7B0eKV7gVK3ZmGzDdSk4MEUmBS/Whk+RsHjod8dHXuNlPAQnBCxafBKIh6TEvdRKByPlH8nx8wbg08iT+5xrVYI8vWhsU8q+XrtZW+OccPyGBV0yWBES8bRldmwPkvP+BnysACS6SfE/J0RL/E8oam+F3W3fQs2yiT7CYC6vKet1m6JTsyJ01pYDcQT05fEIb6HQll6HUuZbvyCoyrcmf7TkmEbELbqJfaVx/tGX27o1/84a19J3syjW5MWI6AIApaZYoOQ/huIgflEpNAhsBC1jCg=
Content-Type: text/plain; charset="utf-8"
Content-ID: <729F9365550CCF47BB8EB988EAE5D1DF@namprd17.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: sectigo.com
X-MS-Exchange-CrossTenant-Network-Message-Id: d0fa041d-05a5-4417-4742-08d6feff10bd
X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Jul 2019 15:07:57.5823 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 0e9c4894-6caa-465d-9660-4b6968b49fb7
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: robs@comodoca.net
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR17MB1980
Archived-At: <https://mailarchive.ietf.org/arch/msg/trans/eTAeICWkjx4_xinZJ6NswKjWY4Q>
Subject: Re: [Trans] Directory instead of .well-known for URL structure
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Jul 2019 15:08:04 -0000
Andrew, thanks for your analysis. Comments inline... On 01/07/2019 20:37, Andrew Ayer wrote: > I also think .well-known URLs are a bad idea, for the same reasons > as Jacob. > > I think directories are even worse. Although they've been used > successfully in ACME, CT has different needs which make directories > unsuitable. ACME's usage pattern is to make a series of related > requests over a short time period to drive a certificate request to > issuance, with the client maintaining state between each request. > This makes it natural for a client to fetch the directory once at the > beginning of an issuance "session" and use it for the duration, since > the cost of fetching the directory is amortized over all the requests, > and the directory is unlikely to become invalid during the session. > > However, CT's usage pattern is to make a lot of unrelated one-off > requests spread over a long period of time - e.g. submitting a > (pre)certificate, fetching an inclusion proof, fetching the latest STH > to send to auditors. Clients would have to either fetch a new directory > for every request (doubling the number of requests made to the log) or > cache directories in long-term state (which requires dealing with > cached directories going stale, and requires keeping long-term state > which might not otherwise be necessary). > > ACME's use of directories is underspecified since it doesn't say how > long a directory remains valid. It's not a big deal for ACME because > ACME servers are presumed to be sane, or people would switch to another > CA. It's not been a big deal for ACME...yet. But why leave it to chance? I just filed this erratum against RFC8555: https://www.rfc-editor.org/errata/eid5771 > However, CT is meant to be an adversarial protocol and has to > anticipate logs doing crazy things like constantly changing their > directory in an effort to stymie auditing and hide misbehavior. > > Thus, CT's use of directories would need to be quite well specified. > It is not a change that should be rushed at the last minute without a > chance for people to carefully examine and poke holes in it. Agreed. > CT clients already need to be configured with a number of parameters > for each log - MMD, hash algorithm, public key, log ID, and so on. > Adding a directory would bifurcate log metadata between the existing > parameter set and the new directory object. > > I propose satisfying BCP 190 by simply specifying the URL for each > endpoint as a separate log parameter. This is a very minimal change to > the protocol and avoids the problems above. I agree that it would make sense to require each endpoint to be specified as a log parameter. Your point about bifurcation is well made. So then I think the question is: Should 6962-bis specify a "directory" endpoint that returns a JSON structure that contains all of the log's parameters (including each of the endpoint URLs)? Or should 6962-bis not mandate any particular format by which log operators should distribute this information? Currently, 6962-bis doesn't mandate a format, but it does point to an example format: "[JSON.Metadata] is an example of a metadata format which includes the above elements." Sadly, this claim is not currently true, because [JSON.Metadata] (https://www.gstatic.com/ct/log_list/log_list_schema.json) does not currently "include the above elements". We should fix this somehow. But how? Also, how often is a CT client expected to refresh log metadata it has obtained from (for example) [JSON.Metadata] ? Is it wise to underspecify this? > Regards, > Andrew -- Rob Stradling Senior Research & Development Scientist Sectigo Limited
- [Trans] Directory instead of .well-known for URL … Jacob Hoffman-Andrews
- Re: [Trans] Directory instead of .well-known for … Martin Thomson
- Re: [Trans] Directory instead of .well-known for … Melinda Shore
- Re: [Trans] Directory instead of .well-known for … Rob Stradling
- Re: [Trans] Directory instead of .well-known for … Manger, James
- Re: [Trans] Directory instead of .well-known for … Eran Messeri
- Re: [Trans] Directory instead of .well-known for … Manger, James
- Re: [Trans] Directory instead of .well-known for … Rob Stradling
- Re: [Trans] Directory instead of .well-known for … Andrew Ayer
- Re: [Trans] Directory instead of .well-known for … Tomas Gustavsson
- Re: [Trans] Directory instead of .well-known for … Rob Stradling
- Re: [Trans] Directory instead of .well-known for … Rob Percival
- Re: [Trans] Directory instead of .well-known for … Rob Stradling
- Re: [Trans] Directory instead of .well-known for … Eran Messeri
- Re: [Trans] Directory instead of .well-known for … Andrew Ayer
- Re: [Trans] Directory instead of .well-known for … Rob Stradling
- Re: [Trans] Directory instead of .well-known for … Eran Messeri
- Re: [Trans] Directory instead of .well-known for … Rob Stradling
- Re: [Trans] Directory instead of .well-known for … Jacob Hoffman-Andrews
- Re: [Trans] Directory instead of .well-known for … Andrew Ayer
- Re: [Trans] Directory instead of .well-known for … Ryan Sleevi