Re: [Trans] Directory instead of .well-known for URL structure
Rob Percival <robpercival@google.com> Tue, 02 July 2019 17:52 UTC
Return-Path: <robpercival@google.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 703EC1206C8 for <trans@ietfa.amsl.com>; Tue, 2 Jul 2019 10:52:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.499
X-Spam-Level:
X-Spam-Status: No, score=-17.499 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HVwYw0v8rYGj for <trans@ietfa.amsl.com>; Tue, 2 Jul 2019 10:52:07 -0700 (PDT)
Received: from mail-ot1-x32b.google.com (mail-ot1-x32b.google.com [IPv6:2607:f8b0:4864:20::32b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9DF1F1206B8 for <trans@ietf.org>; Tue, 2 Jul 2019 10:52:07 -0700 (PDT)
Received: by mail-ot1-x32b.google.com with SMTP id s20so18091963otp.4 for <trans@ietf.org>; Tue, 02 Jul 2019 10:52:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=MhPc162XPaSGHQcdX0W+ObBwe12/7lM7MNB9jF0P3vM=; b=veow4O9c4t3DPvze+5Rn2IoVfPRvYibPb1z3YeB836LYWZ3qrA/tjhlQQ43iXBGX/q awg4EA5fG/4+Z3zZM7jpHNL865Odzqk3JgXW1ObitEdxSWkvWMKPV9fM3yjV0foe2afH oiQKPkQcJb2SNdo+fmSroPrAN1IkAyyxkUQV45q/epD3WkMerO5tPJ5G89+RcWmaSZKx BbFuJGprDrODeXwR8yD2qybPpRG1hk966q7CSRiKjM0I6V+Wqbb8rNmfOTUhzdQKSBx1 3pPP+J8jE7VMB6COWlLoPgMablsDXX5osDRM7y0wQKlNfNANvz+mN/IqsbhWb04h1Wp3 xZxA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=MhPc162XPaSGHQcdX0W+ObBwe12/7lM7MNB9jF0P3vM=; b=FWeZtywiahRvWLeVXyR2tEuDfFdiFljLJBDCeQJVDw6QyDmT6+Xoj3PMVyFPB4lvR0 /RBhtJwpCyfQ03+YSZHz7aC8aBHSbAmDhEzGUkBjVPPE2oUH7iRbf0NsD51XsU15wSNJ LN+vm/68Qge5cDdJHMHob28+yTlNVilnKZXGQvOfwwM32b4Dn0iqXIBMi1zAkeOma3SZ 5jCjzlcKpUTfo9Arx045I80EIJBGQOnTtxQmLytF8lkxf9AserupDJI++jmPJVD3cSJs n/3sAD6ZkA90O6XcK/OTUpbFlJYXD30R9moQN2FrPNfOiGRatokAWB1aa2VKDpkm4lXp AYvA==
X-Gm-Message-State: APjAAAWuGDuooMkASHLimscEJehCEfwcnBiCpYIjRiOtfIpHwiU1fnG/ yawqbRkADqxqNfdnAxeIvG82bVCVRYZbnnf0Sf6adg==
X-Google-Smtp-Source: APXvYqzLJX4JVQgrmIQmLD+IwU1Da7h8Mnqctzgtn5ikAJ1IxiQkxSkLXgNB29et5p+HK+wwkCIJYO36EiIMwBS0dac=
X-Received: by 2002:a9d:774a:: with SMTP id t10mr23350962otl.228.1562089926400; Tue, 02 Jul 2019 10:52:06 -0700 (PDT)
MIME-Version: 1.0
References: <0d5e05fc-8f1e-54b5-536d-231153e7baf7@eff.org> <20190701123701.b3ba6b44ef85a74da6209e64@andrewayer.name> <2cbff182-7c7a-4c55-b2d2-a67f41dd7436@sectigo.com>
In-Reply-To: <2cbff182-7c7a-4c55-b2d2-a67f41dd7436@sectigo.com>
From: Rob Percival <robpercival@google.com>
Date: Tue, 02 Jul 2019 18:51:53 +0100
Message-ID: <CAPbZxJTvk805WtR6FF8xUR0GS=E9gcEMphJR658GuTN8V0h_qg@mail.gmail.com>
To: Rob Stradling <rob@sectigo.com>
Cc: Andrew Ayer <agwa@andrewayer.name>, "trans@ietf.org" <trans@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000002c3ff1058cb6672e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/trans/hrDjGfuVSERsZK35DZbS1CyV9ko>
Subject: Re: [Trans] Directory instead of .well-known for URL structure
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Jul 2019 17:52:11 -0000
FYI: That JSON schema is planned for deprecation; a new version was proposed last year and, following a period for feedback, parties have been slowly migrating to the new schema: https://groups.google.com/a/chromium.org/d/topic/ct-policy/26dmpWdaSHM/discussion That thread would be a good place to propose schema changes. On Tue, 2 Jul 2019, 16:08 Rob Stradling, <rob@sectigo.com> wrote: > Andrew, thanks for your analysis. Comments inline... > > On 01/07/2019 20:37, Andrew Ayer wrote: > > I also think .well-known URLs are a bad idea, for the same reasons > > as Jacob. > > > > I think directories are even worse. Although they've been used > > successfully in ACME, CT has different needs which make directories > > unsuitable. ACME's usage pattern is to make a series of related > > requests over a short time period to drive a certificate request to > > issuance, with the client maintaining state between each request. > > This makes it natural for a client to fetch the directory once at the > > beginning of an issuance "session" and use it for the duration, since > > the cost of fetching the directory is amortized over all the requests, > > and the directory is unlikely to become invalid during the session. > > > > However, CT's usage pattern is to make a lot of unrelated one-off > > requests spread over a long period of time - e.g. submitting a > > (pre)certificate, fetching an inclusion proof, fetching the latest STH > > to send to auditors. Clients would have to either fetch a new directory > > for every request (doubling the number of requests made to the log) or > > cache directories in long-term state (which requires dealing with > > cached directories going stale, and requires keeping long-term state > > which might not otherwise be necessary). > > > > ACME's use of directories is underspecified since it doesn't say how > > long a directory remains valid. It's not a big deal for ACME because > > ACME servers are presumed to be sane, or people would switch to another > > CA. > > It's not been a big deal for ACME...yet. But why leave it to chance? > > I just filed this erratum against RFC8555: > https://www.rfc-editor.org/errata/eid5771 > > > However, CT is meant to be an adversarial protocol and has to > > anticipate logs doing crazy things like constantly changing their > > directory in an effort to stymie auditing and hide misbehavior. > > > > Thus, CT's use of directories would need to be quite well specified. > > It is not a change that should be rushed at the last minute without a > > chance for people to carefully examine and poke holes in it. > > Agreed. > > > CT clients already need to be configured with a number of parameters > > for each log - MMD, hash algorithm, public key, log ID, and so on. > > Adding a directory would bifurcate log metadata between the existing > > parameter set and the new directory object. > > > > I propose satisfying BCP 190 by simply specifying the URL for each > > endpoint as a separate log parameter. This is a very minimal change to > > the protocol and avoids the problems above. > > I agree that it would make sense to require each endpoint to be > specified as a log parameter. Your point about bifurcation is well made. > > So then I think the question is: Should 6962-bis specify a "directory" > endpoint that returns a JSON structure that contains all of the log's > parameters (including each of the endpoint URLs)? Or should 6962-bis > not mandate any particular format by which log operators should > distribute this information? > > Currently, 6962-bis doesn't mandate a format, but it does point to an > example format: > "[JSON.Metadata] is an example of a metadata format which includes the > above elements." > > Sadly, this claim is not currently true, because [JSON.Metadata] > (https://www.gstatic.com/ct/log_list/log_list_schema.json) does not > currently "include the above elements". We should fix this somehow. > But how? > > Also, how often is a CT client expected to refresh log metadata it has > obtained from (for example) [JSON.Metadata] ? > Is it wise to underspecify this? > > > Regards, > > Andrew > > -- > Rob Stradling > Senior Research & Development Scientist > Sectigo Limited > > _______________________________________________ > Trans mailing list > Trans@ietf.org > https://www.ietf.org/mailman/listinfo/trans >
- [Trans] Directory instead of .well-known for URL … Jacob Hoffman-Andrews
- Re: [Trans] Directory instead of .well-known for … Martin Thomson
- Re: [Trans] Directory instead of .well-known for … Melinda Shore
- Re: [Trans] Directory instead of .well-known for … Rob Stradling
- Re: [Trans] Directory instead of .well-known for … Manger, James
- Re: [Trans] Directory instead of .well-known for … Eran Messeri
- Re: [Trans] Directory instead of .well-known for … Manger, James
- Re: [Trans] Directory instead of .well-known for … Rob Stradling
- Re: [Trans] Directory instead of .well-known for … Andrew Ayer
- Re: [Trans] Directory instead of .well-known for … Tomas Gustavsson
- Re: [Trans] Directory instead of .well-known for … Rob Stradling
- Re: [Trans] Directory instead of .well-known for … Rob Percival
- Re: [Trans] Directory instead of .well-known for … Rob Stradling
- Re: [Trans] Directory instead of .well-known for … Eran Messeri
- Re: [Trans] Directory instead of .well-known for … Andrew Ayer
- Re: [Trans] Directory instead of .well-known for … Rob Stradling
- Re: [Trans] Directory instead of .well-known for … Eran Messeri
- Re: [Trans] Directory instead of .well-known for … Rob Stradling
- Re: [Trans] Directory instead of .well-known for … Jacob Hoffman-Andrews
- Re: [Trans] Directory instead of .well-known for … Andrew Ayer
- Re: [Trans] Directory instead of .well-known for … Ryan Sleevi