Remove GET requests #445
Remove GET requests #445
Conversation
draft-ietf-acme-acme.md
Outdated
| send a POST request with a JWS body as described above, with the | ||
| following differences: | ||
|
|
||
| * The JWS Protected Header MUST contain a "typ" field with the value |
There was a problem hiding this comment.
Shouldn't it be "type", not "typ"?
There was a problem hiding this comment.
I noticed that there exists a JWS header called "typ", but that's supposed to be a media type. Is it ok to redefine "typ" for ACME?
There was a problem hiding this comment.
There was a problem hiding this comment.
@adamroach pointed out to me that the typ header parameter is tied to media types, though, so we'll have to pick a different signal here. Because application/GET isn't a thing.
draft-ietf-acme-acme.md
Outdated
| @@ -790,7 +806,7 @@ externalAccountRequired (optional, boolean): | |||
| new-account requests include an "externalAccountBinding" field associating the | |||
| new account with an external account. | |||
|
|
|||
| Clients access the directory by sending a GET request to the directory URL. | |||
| Clients access the directory by sending a POST-as-GET request to the directory URL. | |||
There was a problem hiding this comment.
This should be GET, as this is about the directory (which is explicitly mentioned as GET above).
There was a problem hiding this comment.
Yep. Overzealous search-and-replace :)
|
I think we don't need to require a "typ" field. I think we just need to update the semantics for each resource so that POSTs are always allowed, and a POST with the literal contents |
draft-ietf-acme-acme.md
Outdated
| send a POST request with a JWS body as described above, with the | ||
| following differences: | ||
|
|
||
| * The JWS Protected Header MUST contain a "typ" field with the value |
There was a problem hiding this comment.
draft-ietf-acme-acme.md
Outdated
| following differences: | ||
|
|
||
| * The JWS Protected Header MUST contain a "typ" field with the value | ||
| "GET" |
There was a problem hiding this comment.
Don't we need IANA considerations to register this header parameter?
There was a problem hiding this comment.
No; in fact, I chose typ because it was already registered. However, as noted above, that'll need to change.
There was a problem hiding this comment.
Somehow I thought we had a registry of values that the "typ" field could take. Which, I guess we do, if it's media types, but I was clearly confused about it.
draft-ietf-acme-acme.md
Outdated
| | Poll for status | POST-as-GET order | 200 | | ||
| | Finalize order | POST order finalize | 200 | | ||
| | Poll for status | POST-as-GET order | 200 | | ||
| | Download certificate | POST order certificate | 200 | |
There was a problem hiding this comment.
I'm feeling particularly dense today (jet lag), but why is this POST and not POST-as-GET?
draft-ietf-acme-acme.md
Outdated
| "alg": "ES256", | ||
| "kid": "https://example.com/acme/acct/1", | ||
| "nonce": "uQpSjlRb4vQVCjVYAyyUWg", | ||
| "url": "https://example.com/acme/new-authz", |
There was a problem hiding this comment.
This "url" header value is not correct for a POST to /acme/cert/asdf
draft-ietf-acme-acme.md
Outdated
| "alg": "ES256", | ||
| "kid": "https://example.com/acme/acct/1", | ||
| "nonce": "uQpSjlRb4vQVCjVYAyyUWg", | ||
| "url": "https://example.com/acme/new-authz", |
There was a problem hiding this comment.
This "url" header value is not correct for a POST to /acme/authz/1234
draft-ietf-acme-acme.md
Outdated
| "alg": "ES256", | ||
| "kid": "https://example.com/acme/acct/1", | ||
| "nonce": "uQpSjlRb4vQVCjVYAyyUWg", | ||
| "url": "https://example.com/acme/new-authz", |
There was a problem hiding this comment.
This "url" header value is not correct for a POST to /acme/authz/1234
@jsha the POST to initiate a challenge throws a 🔧 into this plan. Specifically the server needs a way to differentiate a POST to an authorization's challenge as a POST to initiate the challenge validation process or a POST-AS-GET to poll the challenge. Both types of POST would be using a One option is to change the "start the challenge" POST to include a marker field in the body instead of using a "typ" header in the JWS and reserving the empty body as a marker for POST-AS-GET. |
There was a problem hiding this comment.
Few more comments.
I think "7.3.7. Account Deactivation" needs to be updated to make it clear that under this new proposed authenticated POST-as-GET scheme you would lose access to all authorization, challenge, order and certificate information associated with the account that is deactivated. Previously you could continue to GET all of these resources post-deactivation and this may be a surprising outcome for folks that aren't aware of it before deactivating (especially since ACME does not provide a mechanism to "re-activate").
draft-ietf-acme-acme.md
Outdated
|
|
||
| * The JWS Protected Header MUST contain a "typ" field with the value | ||
| "GET" | ||
| * The payload MUST be an empty JSON object ({}) |
There was a problem hiding this comment.
What should the server return to the client if this isn't true? A urn:ietf:params:acme:error:unauthorized type problem? urn:ietf:acme:error:malformedRequest?
draft-ietf-acme-acme.md
Outdated
|
|
||
| We will refer to these as "POST-as-GET" requests. On receiving such | ||
| a request, the server MUST authenticate the sender and verify any | ||
| access control rules. Otherwise, the server MUST treat this request |
There was a problem hiding this comment.
What should the server return to the client if the POST-as-GET authentication fails? A urn:ietf:params:acme:error:unauthorized type problem? urn:ietf:acme:error:malformedRequest?
draft-ietf-acme-acme.md
Outdated
| Otherwise, if a client wishes to fetch a resource from | ||
| the server (which would otherwise be done with a GET), then it MUST | ||
| send a POST request with a JWS body as described above, with the | ||
| following differences: |
There was a problem hiding this comment.
What should the server return if it receives a GET to a resource? SHOULD (MUST?) return a urn:ietf:acme:error:malformedRequest problem with status 405?
There was a problem hiding this comment.
@bifurcation Thanks for the iteration. It's looking better. Few small things to flag.
draft-ietf-acme-acme.md
Outdated
| Otherwise, the server MUST treat this request as having the same | ||
| semantics as a GET request for the same resource. | ||
|
|
||
| The server MUST allow GET requests for the following resources(see |
There was a problem hiding this comment.
typo: resources(see) -> resources (see)
draft-ietf-acme-acme.md
Outdated
|
|
||
| The server MUST allow GET requests for the following resources(see | ||
| {{resources}}, in addition to POST-as-GET requests for these | ||
| resources: |
There was a problem hiding this comment.
nit: I think the second "these resources" in this sentence is redundant.
draft-ietf-acme-acme.md
Outdated
| * The newNonce resource | ||
| * Certificate resources | ||
|
|
||
| Allowing GET requests for the directory and newNonce resourcse |
There was a problem hiding this comment.
typo: "resourcse" -> "resource"
draft-ietf-acme-acme.md
Outdated
| @@ -1616,7 +1639,9 @@ orders or authorization transactions based on a change of account key. | |||
|
|
|||
| A client can deactivate an account by posting a signed update to the server with | |||
| a status field of "deactivated." Clients may wish to do this when the account | |||
| key is compromised or decommissioned. | |||
| key is compromised or decommissioned. A deactivated account an no longer request | |||
There was a problem hiding this comment.
typo: "an no longer" -> "can no longer"
draft-ietf-acme-acme.md
Outdated
| "url": "https://example.com/acme/authz/1234", | ||
| "typ": "GET" | ||
| }), | ||
| "payload": base64url({}), |
There was a problem hiding this comment.
Shouldn't this be "payload": null, now since its replacing a GET to this authz with a POST-as-GET?
There was a problem hiding this comment.
I think this should actually be "payload": "", since JSON distinguishes between an empty string (or equivalently, zero-length payload) and the null value.
draft-ietf-acme-acme.md
Outdated
| "url": "https://example.com/acme/authz/1234", | ||
| "typ": "GET" | ||
| }), | ||
| "payload": base64url({}), |
There was a problem hiding this comment.
ditto here RE: the null payload.
This is an experimental implementation of the acme draft protocol change proposed in ACME PR 445[0]. When Pebble is run with `-strict` it will no longer allow unauthenticated GET requests to Orders, Authorizations or Challenges. Support is added for "POST-as-GET" requests as an authenticated alternative. [0] - ietf-wg-acme/acme#445
draft-ietf-acme-acme.md
Outdated
| certificate chain. (See {{?I-D.ietf-acme-star}} for more advanced | ||
| cases.) A server that allows GET requests for certificate resources | ||
| can still provide them a degree of access control by assigning them | ||
| capability URLs them capability URLs |
There was a problem hiding this comment.
"them capability URLs" is there twice.
There was a problem hiding this comment.
Also please add a reference for "capability URLs", https://www.w3.org/TR/capability-urls/ (the same reference that's listed below).
There was a problem hiding this comment.
Suggest to add: The server MAY choose to allow GET requests to certain certificate resources but not to others. The server can base this decision on out-of-band knowledge (e.g., to allow GET requests to certificates owned by a certain account) or on order-specific information, such as the extension defined in {{?I-D.ietf-acme-star}}.
draft-ietf-acme-acme.md
Outdated
| | Poll for status | POST-as-GET order | 200 | | ||
| | Finalize order | POST order finalize | 200 | | ||
| | Poll for status | POST-as-GET order | 200 | | ||
| | Download certificate | GET order certificate | 200 | |
There was a problem hiding this comment.
Should the "Download certificate" row be "GET or POST-as-GET"?
draft-ietf-acme-acme.md
Outdated
|
|
||
| For example, suppose that the CA uses highly structured URLs that | ||
| with several low-entropy fields: | ||
|
|
There was a problem hiding this comment.
The "For example" sentence above is incomplete.
|
@yaronf Which case do you mean? GETs are clearly allowed for certificate resources, just at the MAY level. |
|
I was referring to the "Downloading the Certificate" section. After
rereading the whole thing again, I realize that GET is still allowed.
But still, for clarity, we should mention this fact again in this section.
…On 06/09/18 18:21, Richard Barnes wrote:
@yaronf <https://github.com/yaronf> Which case do you mean? GETs are
clearly allowed for certificate resources, just at the MAY level.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#445 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ABNP5IyUMtu68wsuHkgdhKUOFD9gUJtwks5uYT1_gaJpZM4WTsq7>.
|
|
I think we need to give the WG a chance to object to this. Yes there has been some discussion, but I'll do a formal 'call' email. Don't let that delay merging, we can always revert. :) |
draft-ietf-acme-acme.md
Outdated
| for these resources. This enables clients to bootstrap into the | ||
| ACME authentication system. | ||
|
|
||
| The server MAY allow GET requests for certificate resources, in |
There was a problem hiding this comment.
minor nit: I don't think the comma after "resources" is required here.
draft-ietf-acme-acme.md
Outdated
| process, e.g., the web server that will use the referenced | ||
| certificate chain. (See {{?I-D.ietf-acme-star}} for more advanced | ||
| cases.) A server that allows GET requests for certificate resources | ||
| can still provide them a degree of access control by assigning them |
There was a problem hiding this comment.
nit: "can still provide them a degree" -> "can still provide a degree"
draft-ietf-acme-acme.md
Outdated
| key is compromised or decommissioned. | ||
| key is compromised or decommissioned. A deactivated account can no longer request | ||
| certificate issuance or access resources related to the account, such as orders | ||
| or authorizations. |
There was a problem hiding this comment.
Can you add one more sentence that explicitly says "If a server receives a POST or POST-as-GETs from a deactivated account it MUST return a urn:ietf:params:acme:error:unauthorized problem"?
draft-ietf-acme-acme.md
Outdated
| order to allow certificates to be fetched by a lower-privileged | ||
| process, e.g., the web server that will use the referenced | ||
| certificate chain. (See {{?I-D.ietf-acme-star}} for more advanced | ||
| cases.) A server that allows GET requests for certificate resources | ||
| can still provide them a degree of access control by assigning them | ||
| can still provide a degree of access control by assigning them | ||
| capability URLs them capability URLs {{?W3C.WD-capability-urls-20140218}}. |
There was a problem hiding this comment.
"them capability URLs" they really are a-happen-ing ... twice.
This is an implementation of the acme draft protocol change added in ACME PR 445[0]. When Pebble is run with `-strict` it will no longer allow unauthenticated GET requests to Orders, Authorizations or Challenges. Support is added for "POST-as-GET" requests as an authenticated alternative. [0] - ietf-wg-acme/acme#445
This is one option for resolving the privacy concerns raised in Adam's and Ben's AD reviews.