On 08/31/2018 01:51 PM, Adam Roach wrote:
The baseline problem here is that the original analysis that determined
that orders, authorizations, challenges, and certificates were "not
sensitive" was incorrect. These are all potentially sensitive from a
privacy perspective. Perhaps not in isolation, but the problem here is
correlation, not isolation.
What do you think about the question of preventing correlation of the
existence of URLs? Do you think that's in-scope, or should we only
prevent correlation of the contents?
Here's another example of a URL scheme where revealing existence would
reveal some correlation data:
/account/100/certificate/example.com
/account/201/certificate/example.net
/account/100/certificate/secret.example.com
Personally, I think it will be intractable to hide the
existence/non-existence of URLs, and we should just mention it as a risk
in the security considerations section. That leads me to the conclusion
that it's fine to return Unauthorized for resources that exist, by the
client does not own.
_______________________________________________
Acme mailing list
Acme@ietf.org
https://www.ietf.org/mailman/listinfo/acme