Folks, Please take a look and send feedback.
/r$, co-chair -- Senior Architect, Akamai Technologies IM: richs...@jabber.at Twitter: RichSalz From: Richard Barnes [mailto:r...@ipv.sx] Sent: Friday, August 26, 2016 1:17 PM To: acme@ietf.org Subject: [Acme] PRs for unparallelization and new-nonce Hey all, Going through PRs today, trying to see where we can make progress. I've already merged several that seemed non-controversial [1]. There are two more where I think we have agreement, but I wanted to give people a few days to opine: --- #181 - Add a new-nonce endpoint https://github.com/ietf-wg-acme/acme/pull/181<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_ietf-2Dwg-2Dacme_acme_pull_181&d=DQMFaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=4LM0GbR0h9Fvx86FtsKI-w&m=Sy1a5tdxgXaN6TZwcpaFvWZQImv1s_cHH4APbMMlD_s&s=3ivqVx1-IEIvJVUsgdEcj0IHPPwmiMs1l_q3lANxqEE&e=> This was proposed by Jacob as a resolution to the tension between nonces and cacheability (raised in #156). I also like this as a solution, so I went ahead and implemented it. --- #164 - Unparallelize signatures on key-change https://github.com/ietf-wg-acme/acme/pull/164<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_ietf-2Dwg-2Dacme_acme_pull_164&d=DQMFaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=4LM0GbR0h9Fvx86FtsKI-w&m=Sy1a5tdxgXaN6TZwcpaFvWZQImv1s_cHH4APbMMlD_s&s=YA2FJcZkmlniP1HjykSvTzE4Gv0NBWkIWnAKW9Qrtws&e=> We've wandered a little bit in the discussion of this PR, but there seems to be agreement on the main points: * Use nested rather than parallel signatures * Use JWKs rather than thumbprints to represent the keys * Require the "url" parameter to be the same for both inner and outer JWSs * No requirement on the nonce parameter in the inner JWS The main remaining conflict is about the general question of whether we should represent accounts by key, URL, or both. That's a more general question than this PR, though, so I'm going to propose we go ahead and make the changes we've agreed on, and if we change the representation of accounts later, we can update this section to match. I've updated the PR to reflect the above agreements, and added a JWK equivalence test that I think should be agreeable to everyone. --- I would appreciate if people could take a quick look at these and thumbs-up/down. If I don't hear objections by mid-next-week, I'll go ahead and merge. --Richard [1] #163 - Make duplicate new-reg return 200 #166 - Clarify 'url' field processing #171 - Remove combinations array #175 - Remove certificates field from registration object #176 - Fix typos #178 - Fixes two typos not addressed by #176 #179 - Clarify "new-X" resources paragraph
_______________________________________________ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme