I'm strongly in favour of Jacob's suggestions in 459. On Fri, Oct 5, 2018 at 7:17 PM Jacob Hoffman-Andrews <j...@eff.org> wrote:
> Here's my proposal that removes the STAR special-casing in ACME, making > certificate URLs behave the same way as all other fetchable resources: > https://github.com/ietf-wg-acme/acme/pull/459. > > Sticking STAR concerns into the ACME draft so late in ACME development is > only going to cause issues. At the point, we need to be locking things down > and removing unused features, not introducing new fiddly bits for the sake > of drafts that can easily be implemented as an extension to the main draft. > > On 10/05/2018 03:55 PM, Jacob Hoffman-Andrews wrote: > > > The removed language is a non-normative statement of fact > > You can't introduce a new authentication method in post-Last Call > revisions, and claim they are non-significant simply because they are not > formally normative. > > > It seems like you're trying to get rid of a better option to maintain > the appearance architectural purity. > > Nope, this is not a matter of architectural purity. Capability URLs are a > strictly weaker authentication method than the JWS-based POSTs used > everywhere in the protocol. If you read the doc ( > https://www.w3.org/TR/capability-urls/), it's all about the risks > involved and how they should only be used as a last resort. The language we > had up to draft 13 made this very explicit: GETs are not authenticated. > > It seems like this was introduced in response to the STAR group requesting > that final certificates be made GETtable. This was a pretty tenuous claim > anyhow: If most ACME servers require POST for certificates, STAR-shaped > clients won't be able to interoperate with them. So if you feel like STAR > needs some special way to authenticate GETs, with lower security > requirements than ACME, let's punt that to the STAR spec. Certificate GETs > in ACME can be a MUST POST like everything else, and STAR can declare a > "gettable certificate" extension. > > > _______________________________________________ > Acme mailing listAcme@ietf.orghttps://www.ietf.org/mailman/listinfo/acme > > > _______________________________________________ > Acme mailing list > Acme@ietf.org > https://www.ietf.org/mailman/listinfo/acme >
_______________________________________________ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme
