On 8/31/18 3:58 PM, Jacob Hoffman-Andrews wrote:
On 08/31/2018 01:51 PM, Adam Roach wrote:
The baseline problem here is that the original analysis that
determined that orders, authorizations, challenges, and certificates
were "not sensitive" was incorrect. These are all potentially
sensitive from a privacy perspective. Perhaps not in isolation, but
the problem here is correlation, not isolation.
What do you think about the question of preventing correlation of the
existence of URLs? Do you think that's in-scope, or should we only
prevent correlation of the contents?
The latter.
Here's another example of a URL scheme where revealing existence would
reveal some correlation data:
/account/100/certificate/example.com
/account/201/certificate/example.net
/account/100/certificate/secret.example.com
Personally, I think it will be intractable to hide the
existence/non-existence of URLs, and we should just mention it as a
risk in the security considerations section. That leads me to the
conclusion that it's fine to return Unauthorized for resources that
exist, by the client does not own.
I think that's correct.
/a
_______________________________________________
Acme mailing list
Acme@ietf.org
https://www.ietf.org/mailman/listinfo/acme