Re: [Acme] Backing-out capability URLs from the spec (added in #445)

Fri, 05 Oct 2018 16:17:55 -0700

Here's my proposal that removes the STAR special-casing in ACME, making certificate URLs behave the same way as all other fetchable resources: https://github.com/ietf-wg-acme/acme/pull/459.
Sticking STAR concerns into the ACME draft so late in ACME development is only going to cause issues. At the point, we need to be locking things down and removing unused features, not introducing new fiddly bits for the sake of drafts that can easily be implemented as an extension to the main draft. 

On 10/05/2018 03:55 PM, Jacob Hoffman-Andrews wrote:

>The removed language is a non-normative statement of fact


You can't introduce a new authentication method in post-Last Call 
revisions, and claim they are non-significant simply because they are 
not formally normative.



> It seems like you're trying to get rid of a better option to 
maintain the appearance architectural purity.



Nope, this is not a matter of architectural purity. Capability URLs 
are a strictly weaker authentication method than the JWS-based POSTs 
used everywhere in the protocol. If you read the doc 
(https://www.w3.org/TR/capability-urls/), it's all about the risks 
involved and how they should only be used as a last resort. The 
language we had up to draft 13 made this very explicit: GETs are not 
authenticated.



It seems like this was introduced in response to the STAR group 
requesting that final certificates be made GETtable. This was a pretty 
tenuous claim anyhow: If most ACME servers require POST for 
certificates, STAR-shaped clients won't be able to interoperate with 
them. So if you feel like STAR needs some special way to authenticate 
GETs, with lower security requirements than ACME, let's punt that to 
the STAR spec. Certificate GETs in ACME can be a MUST POST like 
everything else, and STAR can declare a "gettable certificate" extension.



_______________________________________________
Acme mailing list
Acme@ietf.org
https://www.ietf.org/mailman/listinfo/acme



_______________________________________________
Acme mailing list
Acme@ietf.org
https://www.ietf.org/mailman/listinfo/acme






















					Reply via email to