Re: [Acme] FW: [ietf-wg-acme/acme] Add a meta flag to indicate when GET requests for certificates are allowed (#462)

2018-10-08 Thread Eric Rescorla
Thanks for clarifying. On Mon, Oct 8, 2018 at 10:58 AM Salz, Rich wrote: > >- No, because GET+capability > GET. If you're going to have GET at >all, you should have GET+capability > > > > And more importantly, you do not HAVE to do it; the text just has pointers > on how to do it if des

Re: [Acme] FW: [ietf-wg-acme/acme] Add a meta flag to indicate when GET requests for certificates are allowed (#462)

2018-10-08 Thread Jacob Hoffman-Andrews
> https://github.com/ietf-wg-acme/acme/pull/462

Re: [Acme] Allow get for certificates?

2018-10-08 Thread Jacob Hoffman-Andrews
The POST-as-GET mess started because Adam Roach pointed out that the "orders" URL (listing all of an accounts orders), in some non-WebPKI contexts, could expose information that shouldn't be exposed. There are two possible fixes for this: The narrow fix -- Remove "orders." No one implements it

Re: [Acme] FW: [ietf-wg-acme/acme] Add a meta flag to indicate when GET requests for certificates are allowed (#462)

2018-10-08 Thread Salz, Rich
* No, because GET+capability > GET. If you're going to have GET at all, you should have GET+capability And more importantly, you do not HAVE to do it; the text just has pointers on how to do it if desired. ___ Acme mailing list Acme@ietf.org https

Re: [Acme] FW: [ietf-wg-acme/acme] Add a meta flag to indicate when GET requests for certificates are allowed (#462)

2018-10-08 Thread Richard Barnes
No, because GET+capability > GET. If you're going to have GET at all, you should have GET+capability. On Mon, Oct 8, 2018 at 12:43 PM Eric Rescorla wrote: > My question is whether you would remove the text that JSHA was objecting > to about capabilities URLs. > > On Mon, Oct 8, 2018 at 6:31 AM

Re: [Acme] FW: [ietf-wg-acme/acme] Add a meta flag to indicate when GET requests for certificates are allowed (#462)

2018-10-08 Thread Eric Rescorla
My question is whether you would remove the text that JSHA was objecting to about capabilities URLs. On Mon, Oct 8, 2018 at 6:31 AM Richard Barnes wrote: > Not sure which existing text you're referring to. No conflict comes to > mind. > > In particular, this seems compatible with the stuff in #

Re: [Acme] FW: [ietf-wg-acme/acme] Add a meta flag to indicate when GET requests for certificates are allowed (#462)

2018-10-08 Thread Richard Barnes
Not sure which existing text you're referring to. No conflict comes to mind. In particular, this seems compatible with the stuff in #post-as-get about how the server indicates that it doesn't allow GET. The model I have in mind is that this flag indicates that it's reasonable for the client to t

Re: [Acme] FW: [ietf-wg-acme/acme] Add a meta flag to indicate when GET requests for certificates are allowed (#462)

2018-10-08 Thread Eric Rescorla
Speaking as an individual. Just to be clear, this change would be expected to coexist with the existing capabilities text? Richard, does it require that we retain that text? -Ekr On Sun, Oct 7, 2018 at 4:37 PM Salz, Rich wrote: > WG, this PR adds a new optional indicator that GET can be used

Re: [Acme] Allow get for certificates?

2018-10-08 Thread Fossati, Thomas (Nokia - GB/Cambridge, UK)
The 10/08/2018 09:49, Yaron Sheffer wrote: > IMO Richard's proposal is too coarse, in the sense that servers may want to > publish some certificates with GET and others with POST-as-GET. So either > this should not be a server-wide flag, or if it is, it should be augmented > by a per-Order flag whe