Re: [Acme] Allow get for certificates?

Sat, 06 Oct 2018 09:53:31 -0700 

Speaking as Area Director: there is no process problem with this reference.
Of course, it's a WG decision whether it's advisable.

-Ekr


On Sat, Oct 6, 2018 at 8:31 AM Salz, Rich <rs...@akamai.com> wrote:

> In order to address an issue raised during IESG review, unauthenticated
> GET for ACME server resources was changed to a simple POST that had a
> signed message body, providing authentication. Some raised the issue that
> they still wanted GET for certificates, as they’re public information and
> that sometimes a different process (without the account credentials) might
> be involved in the deployment workflow.  STAR was mentioned as an example..
>
>
>
> There is now concern about calling out STAR, as it is still a WG draft and
> the full extent of its requirements are not known.
>
>
>
> If you have anything else to add to this discussion, please do so now.
>
>
>
> diff --git a/draft-ietf-acme-acme.md b/draft-ietf-acme-acme.md
>
> index 26eeeef..f1ca93f 100644
>
> --- a/draft-ietf-acme-acme.md
>
> +++ b/draft-ietf-acme-acme.md
>
> @@ -463,17 +463,6 @@ resources (see {{resources}}), in addition to
> POST-as-GET requests
>
> for these resources.  This enables clients to bootstrap into the
>
> ACME authentication system.
>
> -The server MAY allow GET requests for certificate resources in
>
> -order to allow certificates to be fetched by a lower-privileged
>
> -process, e.g., the web server that will use the referenced
>
> -certificate chain.  (See {{?I-D.ietf-acme-star}} for more advanced
>
> -cases.)  A server that allows GET requests for certificate resources
>
> -can still provide a degree of access control by assigning them
>
> -capability URLs {{?W3C.WD-capability-urls-20140218}}.
>
> -As above, if the server does not allow GET requests for a given
>
> -resource, it MUST return an error with status code 405 "Method Not
>
> -Allowed" and type "malformed".
>
> -
>
> ## Request URL Integrity
>
>  It is common in deployment for the entity terminating TLS for HTTPS to be
> different
>
>
> _______________________________________________
> Acme mailing list
> Acme@ietf.org
> https://www.ietf.org/mailman/listinfo/acme
>

_______________________________________________
Acme mailing list
Acme@ietf.org
https://www.ietf.org/mailman/listinfo/acme

Reply via email to