Re: [Acme] Randomizing URLs in examples

2018-10-06 Thread Richard Barnes
I didn't merge, I just opened the PR so that we could have the discussion. On Sat, Oct 6, 2018, 17:44 Salz, Rich wrote: > The fact that there were open concerns does not mean that PR455 was wrong. > > > > Please undo the revert that was part of PR458. > > > > EVERYONE. Stop merging. Discuss on

Re: [Acme] Randomizing URLs in examples

2018-10-06 Thread Salz, Rich
The fact that there were open concerns does not mean that PR455 was wrong. Please undo the revert that was part of PR458. EVERYONE. Stop merging. Discuss on the list. From: Richard Barnes Date: Saturday, October 6, 2018 at 5:38 PM To: "acme@ietf.org" Subject: [Acme] Randomizing URLs in examp

[Acme] Randomizing URLs in examples

2018-10-06 Thread Richard Barnes
I have opened a PR reverting Jacob's reversion of the #455 https://github.com/ietf-wg-acme/acme/pull/460 The randomization of examples is independent of whether you think GETs are a good idea or not. As noted in the Security Considerations, having different types of resources in different namesp

Re: [Acme] Allow get for certificates?

2018-10-06 Thread Richard Barnes
I'm not hard set against this change, I just don't see much benefit. Allowing GETs for certificate URLs is so low-risk that we weren't going to access-control it at all until a couple weeks ago. Now it's so high-risk that we need to REQUIRE authentication? That's "REQUIRED" in the RFC 2119 sense

Re: [Acme] Allow get for certificates?

2018-10-06 Thread Eric Rescorla
Speaking as Area Director: there is no process problem with this reference. Of course, it's a WG decision whether it's advisable. -Ekr On Sat, Oct 6, 2018 at 8:31 AM Salz, Rich wrote: > In order to address an issue raised during IESG review, unauthenticated > GET for ACME server resources was

[Acme] Allow get for certificates?

2018-10-06 Thread Salz, Rich
In order to address an issue raised during IESG review, unauthenticated GET for ACME server resources was changed to a simple POST that had a signed message body, providing authentication. Some raised the issue that they still wanted GET for certificates, as they’re public information and that s

[Acme] Mention URL's can be capbilities?

2018-10-06 Thread Salz, Rich
We are having a tussle over a change to the draft. The current text describes something that an ACME server *can* do; the proposed change, below, removes that text. The text was added to address an IESG DISCUSS. It takes no position on whether or not this should be done – no IETF keyword. Remov