-
Notifications
You must be signed in to change notification settings - Fork 191
Conversation
draft-ietf-acme-acme.md
Outdated
send a POST request with a JWS body as described above, with the | ||
following differences: | ||
|
||
* The JWS Protected Header MUST contain a "typ" field with the value |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Shouldn't it be "type", not "typ"?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I noticed that there exists a JWS header called "typ", but that's supposed to be a media type. Is it ok to redefine "typ" for ACME?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@adamroach pointed out to me that the typ
header parameter is tied to media types, though, so we'll have to pick a different signal here. Because application/GET
isn't a thing.
draft-ietf-acme-acme.md
Outdated
@@ -790,7 +806,7 @@ externalAccountRequired (optional, boolean): | |||
new-account requests include an "externalAccountBinding" field associating the | |||
new account with an external account. | |||
|
|||
Clients access the directory by sending a GET request to the directory URL. | |||
Clients access the directory by sending a POST-as-GET request to the directory URL. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should be GET
, as this is about the directory (which is explicitly mentioned as GET
above).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yep. Overzealous search-and-replace :)
I think we don't need to require a "typ" field. I think we just need to update the semantics for each resource so that POSTs are always allowed, and a POST with the literal contents |
draft-ietf-acme-acme.md
Outdated
send a POST request with a JWS body as described above, with the | ||
following differences: | ||
|
||
* The JWS Protected Header MUST contain a "typ" field with the value |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
draft-ietf-acme-acme.md
Outdated
following differences: | ||
|
||
* The JWS Protected Header MUST contain a "typ" field with the value | ||
"GET" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Don't we need IANA considerations to register this header parameter?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No; in fact, I chose typ
because it was already registered. However, as noted above, that'll need to change.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Somehow I thought we had a registry of values that the "typ" field could take. Which, I guess we do, if it's media types, but I was clearly confused about it.
draft-ietf-acme-acme.md
Outdated
| Poll for status | POST-as-GET order | 200 | | ||
| Finalize order | POST order finalize | 200 | | ||
| Poll for status | POST-as-GET order | 200 | | ||
| Download certificate | POST order certificate | 200 | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm feeling particularly dense today (jet lag), but why is this POST and not POST-as-GET?
draft-ietf-acme-acme.md
Outdated
"alg": "ES256", | ||
"kid": "https://example.com/acme/acct/1", | ||
"nonce": "uQpSjlRb4vQVCjVYAyyUWg", | ||
"url": "https://example.com/acme/new-authz", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This "url"
header value is not correct for a POST to /acme/cert/asdf
draft-ietf-acme-acme.md
Outdated
"alg": "ES256", | ||
"kid": "https://example.com/acme/acct/1", | ||
"nonce": "uQpSjlRb4vQVCjVYAyyUWg", | ||
"url": "https://example.com/acme/new-authz", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This "url"
header value is not correct for a POST to /acme/authz/1234
draft-ietf-acme-acme.md
Outdated
"alg": "ES256", | ||
"kid": "https://example.com/acme/acct/1", | ||
"nonce": "uQpSjlRb4vQVCjVYAyyUWg", | ||
"url": "https://example.com/acme/new-authz", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This "url" header value is not correct for a POST to /acme/authz/1234
@jsha the POST to initiate a challenge throws a 🔧 into this plan. Specifically the server needs a way to differentiate a POST to an authorization's challenge as a POST to initiate the challenge validation process or a POST-AS-GET to poll the challenge. Both types of POST would be using a One option is to change the "start the challenge" POST to include a marker field in the body instead of using a "typ" header in the JWS and reserving the empty body as a marker for POST-AS-GET. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Few more comments.
I think "7.3.7. Account Deactivation" needs to be updated to make it clear that under this new proposed authenticated POST-as-GET scheme you would lose access to all authorization, challenge, order and certificate information associated with the account that is deactivated. Previously you could continue to GET all of these resources post-deactivation and this may be a surprising outcome for folks that aren't aware of it before deactivating (especially since ACME does not provide a mechanism to "re-activate").
draft-ietf-acme-acme.md
Outdated
|
||
* The JWS Protected Header MUST contain a "typ" field with the value | ||
"GET" | ||
* The payload MUST be an empty JSON object ({}) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What should the server return to the client if this isn't true? A urn:ietf:params:acme:error:unauthorized
type problem? urn:ietf:acme:error:malformedRequest
?
draft-ietf-acme-acme.md
Outdated
|
||
We will refer to these as "POST-as-GET" requests. On receiving such | ||
a request, the server MUST authenticate the sender and verify any | ||
access control rules. Otherwise, the server MUST treat this request |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What should the server return to the client if the POST-as-GET authentication fails? A urn:ietf:params:acme:error:unauthorized
type problem? urn:ietf:acme:error:malformedRequest
?
draft-ietf-acme-acme.md
Outdated
Otherwise, if a client wishes to fetch a resource from | ||
the server (which would otherwise be done with a GET), then it MUST | ||
send a POST request with a JWS body as described above, with the | ||
following differences: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What should the server return if it receives a GET to a resource? SHOULD (MUST?) return a urn:ietf:acme:error:malformedRequest
problem with status 405?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@bifurcation Thanks for the iteration. It's looking better. Few small things to flag.
draft-ietf-acme-acme.md
Outdated
Otherwise, the server MUST treat this request as having the same | ||
semantics as a GET request for the same resource. | ||
|
||
The server MUST allow GET requests for the following resources(see |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
typo: resources(see)
-> resources (see)
draft-ietf-acme-acme.md
Outdated
|
||
The server MUST allow GET requests for the following resources(see | ||
{{resources}}, in addition to POST-as-GET requests for these | ||
resources: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: I think the second "these resources" in this sentence is redundant.
draft-ietf-acme-acme.md
Outdated
* The newNonce resource | ||
* Certificate resources | ||
|
||
Allowing GET requests for the directory and newNonce resourcse |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
typo: "resourcse" -> "resource"
draft-ietf-acme-acme.md
Outdated
@@ -1616,7 +1639,9 @@ orders or authorization transactions based on a change of account key. | |||
|
|||
A client can deactivate an account by posting a signed update to the server with | |||
a status field of "deactivated." Clients may wish to do this when the account | |||
key is compromised or decommissioned. | |||
key is compromised or decommissioned. A deactivated account an no longer request |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
typo: "an no longer" -> "can no longer"
draft-ietf-acme-acme.md
Outdated
"url": "https://example.com/acme/authz/1234", | ||
"typ": "GET" | ||
}), | ||
"payload": base64url({}), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Shouldn't this be "payload": null,
now since its replacing a GET to this authz with a POST-as-GET?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this should actually be "payload": ""
, since JSON distinguishes between an empty string (or equivalently, zero-length payload) and the null value.
draft-ietf-acme-acme.md
Outdated
"url": "https://example.com/acme/authz/1234", | ||
"typ": "GET" | ||
}), | ||
"payload": base64url({}), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ditto here RE: the null payload.
This is an experimental implementation of the acme draft protocol change proposed in ACME PR 445[0]. When Pebble is run with `-strict` it will no longer allow unauthenticated GET requests to Orders, Authorizations or Challenges. Support is added for "POST-as-GET" requests as an authenticated alternative. [0] - ietf-wg-acme/acme#445
draft-ietf-acme-acme.md
Outdated
certificate chain. (See {{?I-D.ietf-acme-star}} for more advanced | ||
cases.) A server that allows GET requests for certificate resources | ||
can still provide them a degree of access control by assigning them | ||
capability URLs them capability URLs |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"them capability URLs" is there twice.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also please add a reference for "capability URLs", https://www.w3.org/TR/capability-urls/ (the same reference that's listed below).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Suggest to add: The server MAY choose to allow GET requests to certain certificate resources but not to others. The server can base this decision on out-of-band knowledge (e.g., to allow GET requests to certificates owned by a certain account) or on order-specific information, such as the extension defined in {{?I-D.ietf-acme-star}}.
draft-ietf-acme-acme.md
Outdated
| Poll for status | POST-as-GET order | 200 | | ||
| Finalize order | POST order finalize | 200 | | ||
| Poll for status | POST-as-GET order | 200 | | ||
| Download certificate | GET order certificate | 200 | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should the "Download certificate" row be "GET or POST-as-GET"?
draft-ietf-acme-acme.md
Outdated
|
||
For example, suppose that the CA uses highly structured URLs that | ||
with several low-entropy fields: | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The "For example" sentence above is incomplete.
@yaronf Which case do you mean? GETs are clearly allowed for certificate resources, just at the MAY level. |
I was referring to the "Downloading the Certificate" section. After
rereading the whole thing again, I realize that GET is still allowed.
But still, for clarity, we should mention this fact again in this section.
…On 06/09/18 18:21, Richard Barnes wrote:
@yaronf <https://github.com/yaronf> Which case do you mean? GETs are
clearly allowed for certificate resources, just at the MAY level.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#445 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ABNP5IyUMtu68wsuHkgdhKUOFD9gUJtwks5uYT1_gaJpZM4WTsq7>.
|
I think we need to give the WG a chance to object to this. Yes there has been some discussion, but I'll do a formal 'call' email. Don't let that delay merging, we can always revert. :) |
draft-ietf-acme-acme.md
Outdated
for these resources. This enables clients to bootstrap into the | ||
ACME authentication system. | ||
|
||
The server MAY allow GET requests for certificate resources, in |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
minor nit: I don't think the comma after "resources" is required here.
draft-ietf-acme-acme.md
Outdated
process, e.g., the web server that will use the referenced | ||
certificate chain. (See {{?I-D.ietf-acme-star}} for more advanced | ||
cases.) A server that allows GET requests for certificate resources | ||
can still provide them a degree of access control by assigning them |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: "can still provide them a degree" -> "can still provide a degree"
draft-ietf-acme-acme.md
Outdated
key is compromised or decommissioned. | ||
key is compromised or decommissioned. A deactivated account can no longer request | ||
certificate issuance or access resources related to the account, such as orders | ||
or authorizations. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you add one more sentence that explicitly says "If a server receives a POST or POST-as-GETs from a deactivated account it MUST return a urn:ietf:params:acme:error:unauthorized problem"?
draft-ietf-acme-acme.md
Outdated
order to allow certificates to be fetched by a lower-privileged | ||
process, e.g., the web server that will use the referenced | ||
certificate chain. (See {{?I-D.ietf-acme-star}} for more advanced | ||
cases.) A server that allows GET requests for certificate resources | ||
can still provide them a degree of access control by assigning them | ||
can still provide a degree of access control by assigning them | ||
capability URLs them capability URLs {{?W3C.WD-capability-urls-20140218}}. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"them capability URLs" they really are a-happen-ing ... twice.
This is an implementation of the acme draft protocol change added in ACME PR 445[0]. When Pebble is run with `-strict` it will no longer allow unauthenticated GET requests to Orders, Authorizations or Challenges. Support is added for "POST-as-GET" requests as an authenticated alternative. [0] - ietf-wg-acme/acme#445
This is one option for resolving the privacy concerns raised in Adam's and Ben's AD reviews.