On 9/6/18 10:02 AM, Richard Barnes wrote:
After the weekend's discussions, I've updated the PR to reflect what I
understand to be emerging agreement on these topics:
ISSUE 1. Should we do POST-as-GET at all, vs. keeping GET and doing
the privacy analysis?
PROPOSED RESOLUTION: Yes.
ISSUE 2: How should we signal that POST-as-GET request is different
from other POST requests?
PROPOSED RESOLUTION: A JWS with a zero-octet payload ("")
ISSUE 3: Should servers be required to allow GET requests for
certificate URLs?
PROPOSED RESOLUTION: No, but they MAY
ISSUE 4: How should we address the risk that an attacker can discover
URLs by probing for Unauthorized vs. Not Found?
PROPOSED RESOLUTION: Security considerations that recommend
non-correlatable URL plans
https://github.com/ietf-wg-acme/acme/pull/445
Adam: Is this looking like an approach that would satisfy your DISCUSS?
Yes, it would. Thanks to everyone for moving so quickly on this. (n.b.:
I glanced at the PR, but did not review it in detail. I leave it to the
WG, its chairs, and the sponsoring AD to ensure the document is
consistent and reflects consensus.)
/a
_______________________________________________
Acme mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/acme
