Folks,
Please take a look and send feedback.
/r$, co-chair
--
Senior Architect, Akamai Technologies
IM: richs...@jabber.at Twitter: RichSalz
From: Richard Barnes [mailto:r...@ipv.sx]
Sent: Friday, August 26, 2016 1:17 PM
To: acme@ietf.org
Subject: [Acme] PRs for unparallelization and new-nonce
Hey all,
Going through PRs today, trying to see where we can make progress. I've
already merged several that seemed non-controversial [1]. There are two more
where I think we have agreement, but I wanted to give people a few days to
opine:
---
#181 - Add a new-nonce endpoint
https://github.com/ietf-wg-acme/acme/pull/181<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_ietf-2Dwg-2Dacme_acme_pull_181&d=DQMFaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=4LM0GbR0h9Fvx86FtsKI-w&m=Sy1a5tdxgXaN6TZwcpaFvWZQImv1s_cHH4APbMMlD_s&s=3ivqVx1-IEIvJVUsgdEcj0IHPPwmiMs1l_q3lANxqEE&e=>
This was proposed by Jacob as a resolution to the tension between nonces and
cacheability (raised in #156). I also like this as a solution, so I went ahead
and implemented it.
---
#164 - Unparallelize signatures on key-change
https://github.com/ietf-wg-acme/acme/pull/164<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_ietf-2Dwg-2Dacme_acme_pull_164&d=DQMFaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=4LM0GbR0h9Fvx86FtsKI-w&m=Sy1a5tdxgXaN6TZwcpaFvWZQImv1s_cHH4APbMMlD_s&s=YA2FJcZkmlniP1HjykSvTzE4Gv0NBWkIWnAKW9Qrtws&e=>
We've wandered a little bit in the discussion of this PR, but there seems to be
agreement on the main points:
* Use nested rather than parallel signatures
* Use JWKs rather than thumbprints to represent the keys
* Require the "url" parameter to be the same for both inner and outer JWSs
* No requirement on the nonce parameter in the inner JWS
The main remaining conflict is about the general question of whether we should
represent accounts by key, URL, or both. That's a more general question than
this PR, though, so I'm going to propose we go ahead and make the changes we've
agreed on, and if we change the representation of accounts later, we can update
this section to match.
I've updated the PR to reflect the above agreements, and added a JWK
equivalence test that I think should be agreeable to everyone.
---
I would appreciate if people could take a quick look at these and
thumbs-up/down. If I don't hear objections by mid-next-week, I'll go ahead and
merge.
--Richard
[1]
#163 - Make duplicate new-reg return 200
#166 - Clarify 'url' field processing
#171 - Remove combinations array
#175 - Remove certificates field from registration object
#176 - Fix typos
#178 - Fixes two typos not addressed by #176
#179 - Clarify "new-X" resources paragraph
_______________________________________________
Acme mailing list
Acme@ietf.org
https://www.ietf.org/mailman/listinfo/acme
