On Sat, Aug 6, 2016 at 1:46 PM, Jacob Hoffman-Andrews <j...@eff.org> wrote:
> > > On 08/05/2016 12:22 PM, Richard Barnes wrote: > > #165 - Re-add new-authz as pre-authorization > https://github.com/ietf-wg-acme/acme/pull/165 > > Gave feedback on a separate thread. > > #166 - Clarify 'url' field processing > https://github.com/ietf-wg-acme/acme/pull/166 > > LGTM > > > #161 - Drop the OOB challenge >> https://github.com/ietf-wg-acme/acme/pull/161 >> > LGTM > > >> #162 - Add a protocol version >> https://github.com/ietf-wg-acme/acme/pull/162 >> > Still thinking about this one. Seems sound at first glance, but I'm > thinking about TLS version intolerance and https://www.imperialviolet. > org/2016/05/16/agility.html. > > #163 - Make duplicate new-reg return 303 >> https://github.com/ietf-wg-acme/acme/pull/163 >> > (NB: I used 303 instead of 302 because I thought it was a better fit after >> reading the HTTP spec. Nothing is going to be a perfect fit here.) >> https://tools.ietf.org/html/rfc7231#section-6.4.4 >> > Agreed that nothing is a perfect fit here. In particular, common UA > behavior is to turn a POST into a GET, which will fail because you can't > GET a registration. However, we also don't want the UA to re-POST, because > (a) the nonce will be used up already, and (b) the POST for a new-reg isn't > the same as a POST for an existing registration. > > Can you provide more detail on the motivation for this change, both > on-list and in the PR description? > I think the motivation is pretty clearly spelled out in the corresponding issue: https://github.com/ietf-wg-acme/acme/issues/157 In brief, the idea is that this is not an error condition, so it shouldn't use an error status (4xx / 5xx). Now we're just haggling over which code to use. I would note that the most recent version of the spec to have new-authz also used 303 when it found an existing authz. So wherever we end up, we should be consistent between those two cases. As far as 3XX (your argument is not specific to 303) -- it seems like the POST->GET change is only an issue for libraries that automatically follow redirects, which I don't think is a universal behavior. But I would be open to returning a 2XX if we could find a good one. Probably would want to send Content-Location for the URL. --Richard
_______________________________________________ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme
