Adam: Thanks for the ... detailed response :) Looking through these examples, it looks like the unique problematic URLs are the following:
https://example.com/acme/acct/1 https://example.com/acme/acct/1/orders https://example.com/acme/acct/1/order/1 https://example.com/acme/acct/1/order/1/finalize https://example.com/acme/acct/1/order/2 https://example.com/acme/acct/1/order/50 https://example.com/acme/authz/0 https://example.com/acme/authz/1234 https://example.com/acme/authz/1234/0 https://example.com/acme/authz/1234/2 https://example.com/acme/authz/2345 https://example.com/acme/cert/1234 https://example.com/acme/order/asdf/finalize I've changed these to the following partly-randomized URLs, under the theory that (1) independent, flat namespaces are good, (2) discovering order-list and finalization URLs isn't a big deal, and (3) 64 bits should be enough for anyone. https://example.com/acme/acct/evOfKhNU60w https://example.com/acme/acct/evOfKhNU60wg/orders https://example.com/acme/order/TOlocE8rfgo https://example.com/acme/order/TOlocE8rfgo/finalize https://example.com/acme/order/4E16bbL5iSw https://example.com/acme/order/neBHYLfw0mg https://example.com/acme/authz/PAniVnsZcis https://example.com/acme/authz/PAniVnsZcis https://example.com/acme/chall/prV_B7yEyA4 https://example.com/acme/chall/Rg5dV14Gh1Q https://example.com/acme/authz/r4HqLzrSrpI https://example.com/acme/cert/mAt3xBGaobw https://example.com/acme/order/TOlocE8rfgo/finalize Pull request here: https://github.com/ietf-wg-acme/acme/pull/455 Let's get some thorough review on that PR, though, to make sure I haven't introduced any accidental inconsistencies. --Richard On Tue, Sep 25, 2018 at 11:35 PM Adam Roach <[email protected]> wrote: > The new text looks great. Thanks for the work that everyone has done to > address the privacy concerns I highlighted. > > I do worry that implementors are likely to overlook the new text when the > examples so clearly do not follow the recommendations in section 10.5. > Please note that this was explicitly point (3) of my DISCUSS. For avoidance > of doubt, I'll highlight the minimal set of examples that need to be > updated. It would be ideal if the other examples that use constructs like > "1234" and "4321" were similarly updated, but they are less likely to lead > to the confusion that will be caused by the ones I cite below, which use > single digits where section 10.5 calls for "large unpredictable components". > > One minor nit (since you're going to need a new draft): > s/concatinates/concatenates/ > > Problem 1: > > { > "status": "valid", > "contact": [ > "mailto:[email protected]"; <[email protected]>, > "mailto:[email protected]"; <[email protected]> > ], > "termsOfServiceAgreed": true, > "orders": "https://example.com/acme/acct/1/orders"; > <https://example.com/acme/acct/1/orders> > } > > > Problem 2: > > { > "orders": [ > "https://example.com/acme/acct/1/order/1"; > <https://example.com/acme/acct/1/order/1>, > "https://example.com/acme/acct/1/order/2"; > <https://example.com/acme/acct/1/order/2>, > /* 47 more URLs not shown for example brevity */ > "https://example.com/acme/acct/1/order/50"; > <https://example.com/acme/acct/1/order/50> > ] > } > > > Problem 3: > > { > "status": "valid", > "expires": "2015-03-01T14:09:07.99Z", > > "identifiers": [ > { "type": "dns", "value": "example.com" }, > { "type": "dns", "value": "www.example.com" } > ], > > "notBefore": "2016-01-01T00:00:00Z", > "notAfter": "2016-01-08T00:00:00Z", > > "authorizations": [ > "https://example.com/acme/authz/1234"; > <https://example.com/acme/authz/1234>, > "https://example.com/acme/authz/2345"; > <https://example.com/acme/authz/2345> > ], > > "finalize": "https://example.com/acme/acct/1/order/1/finalize"; > <https://example.com/acme/acct/1/order/1/finalize>, > > "certificate": "https://example.com/acme/cert/1234"; > <https://example.com/acme/cert/1234> > } > > (at least the "finalize" URLs, and arguable the "certificate" and > "authorizations" URLs) > > > Problem 4: > > HTTP/1.1 201 Created > Content-Type: application/json > Replay-Nonce: D8s4D2mLs8Vn-goWuPQeKA > Location: https://example.com/acme/acct/1 > Link: <https://example.com/acme/some-directory> > <https://example.com/acme/some-directory>;rel="index" > > { > "status": "valid", > > "contact": [ > "mailto:[email protected]"; <[email protected]>, > "mailto:[email protected]"; <[email protected]> > ], > > "orders": "https://example.com/acme/acct/1/orders"; > <https://example.com/acme/acct/1/orders> > } > > (Both the Link header field and the "orders" URL) > > Problem 5: > > POST /acme/acct/1 HTTP/1.1 > Host: example.com > Content-Type: application/jose+json > > { > "protected": base64url({ > "alg": "ES256", > "kid": "https://example.com/acme/acct/1"; > <https://example.com/acme/acct/1>, > "nonce": "ax5RnthDqp_Yf4_HZnFLmA", > "url": "https://example.com/acme/acct/1"; > <https://example.com/acme/acct/1> > }), > "payload": base64url({ > "contact": [ > "mailto:[email protected]"; <[email protected]>, > "mailto:[email protected]"; <[email protected]> > ] > }), > "signature": "hDXzvcj8T6fbFbmn...rDzXzzvzpRy64N0o" > } > > (The Request-URI and both URLs in the body) > > > Problem 6: > > { > "protected": base64url({ > "alg": "ES256", > "kid": "https://example.com/acme/acct/1"; > <https://example.com/acme/acct/1>, > "nonce": "S9XaOcxP5McpnTcWPIhYuB", > "url": "https://example.com/acme/key-change"; > <https://example.com/acme/key-change> > }), > "payload": base64url({ > "protected": base64url({ > "alg": "ES256", > "jwk": /* new key */, > "url": "https://example.com/acme/key-change"; > <https://example.com/acme/key-change> > }), > "payload": base64url({ > "account": "https://example.com/acme/acct/1"; > <https://example.com/acme/acct/1>, > "oldKey": /* old key */ > }), > "signature": "Xe8B94RD30Azj2ea...8BmZIRtcSKPSd8gU" > }), > "signature": "5TWiqIYQfIDfALQv...x9C2mg8JGPxl5bI4" > } > > > Problem 7: > > POST /acme/acct/1 HTTP/1.1 > Host: example.com > Content-Type: application/jose+json > > { > "protected": base64url({ > "alg": "ES256", > "kid": "https://example.com/acme/acct/1"; > <https://example.com/acme/acct/1>, > "nonce": "ntuJWWSic4WVNSqeUmshgg", > "url": "https://example.com/acme/acct/1"; > <https://example.com/acme/acct/1> > }), > "payload": base64url({ > "status": "deactivated" > }), > "signature": "earzVLd3m5M4xJzR...bVTqn7R08AKOVf3Y" > } > > > Problem 8: > > { > "protected": base64url({ > "alg": "ES256", > "kid": "https://example.com/acme/acct/1"; > <https://example.com/acme/acct/1>, > "nonce": "5XJ1L3lEkMG7tR6pA00clA", > "url": "https://example.com/acme/new-order"; > <https://example.com/acme/new-order> > }), > "payload": base64url({ > "identifiers": [ > { "type": "dns", "value": "example.com" } > ], > "notBefore": "2016-01-01T00:04:00+04:00", > "notAfter": "2016-01-08T00:04:00+04:00" > }), > "signature": "H6ZXtGjTZyUnPeKn...wEA4TklBdh3e454g" > } > > > Problem 9: > > { > "protected": base64url({ > "alg": "ES256", > "kid": "https://example.com/acme/acct/1"; > <https://example.com/acme/acct/1>, > "nonce": "MSF2j2nawWHPxxkE3ZJtKQ", > "url": "https://example.com/acme/order/asdf/finalize"; > <https://example.com/acme/order/asdf/finalize> > }), > "payload": base64url({ > "csr": "MIIBPTCBxAIBADBFMQ...FS6aKdZeGsysoCo4H9P", > }), > "signature": "uOrUfIIk5RyQ...nw62Ay1cl6AB" > } > > > > Problem 10: > > { > "protected": base64url({ > "alg": "ES256", > "kid": "https://example.com/acme/acct/1"; > <https://example.com/acme/acct/1>, > "nonce": "uQpSjlRb4vQVCjVYAyyUWg", > "url": "https://example.com/acme/new-authz"; > <https://example.com/acme/new-authz> > }), > "payload": base64url({ > "identifier": { > "type": "dns", > "value": "example.net" > } > }), > "signature": "nuSDISbWG8mMgE7H...QyVUL68yzf3Zawps" > } > > > Problem 11: > > POST /acme/authz/1234 HTTP/1.1 > Host: example.com > Content-Type: application/jose+json > Accept: application/pkix-cert > > { > "protected": base64url({ > "alg": "ES256", > "kid": "https://example.com/acme/acct/1"; > <https://example.com/acme/acct/1>, > "nonce": "uQpSjlRb4vQVCjVYAyyUWg", > "url": "https://example.com/acme/authz/1234"; > <https://example.com/acme/authz/1234>, > }), > "payload": "", > "signature": "nuSDISbWG8mMgE7H...QyVUL68yzf3Zawps" > } > > HTTP/1.1 200 OK > Content-Type: application/json > Link: <https://example.com/acme/some-directory> > <https://example.com/acme/some-directory>;rel="index" > > { > "status": "pending", > "expires": "2018-03-03T14:09:30Z", > > "identifier": { > "type": "dns", > "value": "example.org" > }, > > "challenges": [ > { > "type": "http-01", > "url": "https://example.com/acme/authz/1234/0"; > <https://example.com/acme/authz/1234/0>, > "token": "DGyRejmCefe7v4NfDGDKfA" > }, > { > "type": "dns-01", > "url": "https://example.com/acme/authz/1234/2"; > <https://example.com/acme/authz/1234/2>, > "token": "DGyRejmCefe7v4NfDGDKfA" > } > ], > > "wildcard": false > } > > > Problem 12: > > POST /acme/authz/1234/0 HTTP/1.1 > Host: example.com > Content-Type: application/jose+json > > { > "protected": base64url({ > "alg": "ES256", > "kid": "https://example.com/acme/acct/1"; > <https://example.com/acme/acct/1>, > "nonce": "Q_s3MWoqT05TrdkM2MTDcw", > "url": "https://example.com/acme/authz/1234/0"; > <https://example.com/acme/authz/1234/0> > }), > "payload": base64url({}), > "signature": "9cbg5JO1Gf5YLjjz...SpkUfcdPai9uVYYQ" > } > > > Problem 13: > > POST /acme/authz/1234 HTTP/1.1 > Host: example.com > Content-Type: application/jose+json > Accept: application/pkix-cert > > { > "protected": base64url({ > "alg": "ES256", > "kid": "https://example.com/acme/acct/1"; > <https://example.com/acme/acct/1>, > "nonce": "uQpSjlRb4vQVCjVYAyyUWg", > "url": "https://example.com/acme/authz/1234"; > <https://example.com/acme/authz/1234>, > }), > "payload": "", > "signature": "nuSDISbWG8mMgE7H...QyVUL68yzf3Zawps" > } > > HTTP/1.1 200 OK > Content-Type: application/json > > { > "status": "valid", > "expires": "2018-09-09T14:09:01.13Z", > > "identifier": { > "type": "dns", > "value": "example.org" > }, > > "challenges": [ > { > "type": "http-01", > "url": "https://example.com/acme/authz/1234/0"; > <https://example.com/acme/authz/1234/0>, > "status": "valid", > "validated": "2014-12-01T12:05:13.72Z", > "token": "IlirfxKKXAsHtmzK29Pj8A" > } > ], > > "wildcard": false > } > > > Problem 14: > > POST /acme/authz/1234 HTTP/1.1 > Host: example.com > Content-Type: application/jose+json > > { > "protected": base64url({ > "alg": "ES256", > "kid": "https://example.com/acme/acct/1"; > <https://example.com/acme/acct/1>, > "nonce": "xWCM9lGbIyCgue8di6ueWQ", > "url": "https://example.com/acme/authz/1234"; > <https://example.com/acme/authz/1234> > }), > "payload": base64url({ > "status": "deactivated" > }), > "signature": "srX9Ji7Le9bjszhu...WTFdtujObzMtZcx4" > } > > > Problem 15: > > POST /acme/revoke-cert HTTP/1.1 > Host: example.com > Content-Type: application/jose+json > > { > "protected": base64url({ > "alg": "ES256", > "kid": "https://example.com/acme/acct/1"; > <https://example.com/acme/acct/1>, > "nonce": "JHb54aT_KTXBWQOzGYkt9A", > "url": "https://example.com/acme/revoke-cert"; > <https://example.com/acme/revoke-cert> > }), > "payload": base64url({ > "certificate": "MIIEDTCCAvegAwIBAgIRAP8...", > "reason": 4 > }), > "signature": "Q1bURgJoEslbD1c5...3pYdSMLio57mQNN4" > } > > > Problem 16: > > POST /acme/revoke-cert HTTP/1.1 > Host: example.com > Content-Type: application/jose+json > > { > "protected": base64url({ > "alg": "RS256", > "jwk": /* certificate's public key */, > "nonce": "JHb54aT_KTXBWQOzGYkt9A", > "url": "https://example.com/acme/revoke-cert"; > <https://example.com/acme/revoke-cert> > }), > "payload": base64url({ > "certificate": "MIIEDTCCAvegAwIBAgIRAP8...", > "reason": 1 > }), > "signature": "Q1bURgJoEslbD1c5...3pYdSMLio57mQNN4" > } > > > Problem 17: > > { > "type": "http-01", > "url": "https://example.com/acme/authz/0"; > <https://example.com/acme/authz/0>, > "status": "pending", > "token": "LoqXcYV8q5ONbJQxbmR7SCTNo3tiAXDfowyjxAjEuX0" > } > > > Problem 18: > > POST /acme/authz/1234/0 > Host: example.com > Content-Type: application/jose+json > > { > "protected": base64url({ > "alg": "ES256", > "kid": "https://example.com/acme/acct/1"; > <https://example.com/acme/acct/1>, > "nonce": "UQI1PoRi5OuXzxuX7V7wL0", > "url": "https://example.com/acme/authz/1234/0"; > <https://example.com/acme/authz/1234/0> > }), > "payload": base64url({}), > "signature": "Q1bURgJoEslbD1c5...3pYdSMLio57mQNN4" > } > > > > Problem 19: > > POST /acme/authz/1234/2 > Host: example.com > Content-Type: application/jose+json > > { > "protected": base64url({ > "alg": "ES256", > "kid": "https://example.com/acme/acct/1"; > <https://example.com/acme/acct/1>, > "nonce": "SS2sSl1PtspvFZ08kNtzKd", > "url": "https://example.com/acme/authz/1234/2"; > <https://example.com/acme/authz/1234/2> > }), > "payload": base64url({}), > "signature": "Q1bURgJoEslbD1c5...3pYdSMLio57mQNN4" > } > > > /a > > > > On 9/25/18 4:02 PM, Richard Barnes wrote: > > This version incorporates the feedback from the IESG, most notably moving > from to GET to POST-as-GET. > > Chairs / ADs - Where to from here? > > On Tue, Sep 25, 2018 at 11:02 PM Richard Barnes <[email protected]> <[email protected]> > wrote: > >> This version incorporates the feedback from the IESG, most notably moving >> from to GET to POST-as-GET. >> >> Chairs / ADs - Where to from here? >> >> On Tue, Sep 25, 2018 at 10:50 PM <[email protected]> wrote: >> >>> >>> A new version of I-D, draft-ietf-acme-acme-15.txt >>> has been successfully submitted by Richard Barnes and posted to the >>> IETF repository. >>> >>> Name: draft-ietf-acme-acme >>> Revision: 15 >>> Title: Automatic Certificate Management Environment (ACME) >>> Document date: 2018-09-25 >>> Group: acme >>> Pages: 89 >>> URL: >>> https://www.ietf.org/internet-drafts/draft-ietf-acme-acme-15.txt >>> Status: https://datatracker.ietf.org/doc/draft-ietf-acme-acme/ >>> Htmlized: https://tools..ietf.org/html/draft-ietf-acme-acme-15 >>> <https://tools.ietf.org/html/draft-ietf-acme-acme-15> >>> Htmlized: >>> https://datatracker.ietf.org/doc/html/draft-ietf-acme-acme >>> Diff: >>> https://www.ietf.org/rfcdiff?url2=draft-ietf-acme-acme-15 >>> >>> Abstract: >>> Public Key Infrastructure X.509 (PKIX) certificates are used for a >>> number of purposes, the most significant of which is the >>> authentication of domain names. Thus, certification authorities >>> (CAs) in the Web PKI are trusted to verify that an applicant for a >>> certificate legitimately represents the domain name(s) in the >>> certificate. Today, this verification is done through a collection >>> of ad hoc mechanisms. This document describes a protocol that a CA >>> and an applicant can use to automate the process of verification and >>> certificate issuance. The protocol also provides facilities for >>> other certificate management functions, such as certificate >>> revocation. >>> >>> RFC EDITOR: PLEASE REMOVE THE FOLLOWING PARAGRAPH: The source for >>> this draft is maintained in GitHub. Suggested changes should be >>> submitted as pull requests at https://github.com/ietf-wg-acme/acme >>> [1]. Instructions are on that page as well. Editorial changes can >>> be managed in GitHub, but any substantive change should be discussed >>> on the ACME mailing list ([email protected]). >>> >>> >>> >>> >>> Please note that it may take a couple of minutes from the time of >>> submission >>> until the htmlized version and diff are available at tools.ietf.org. >>> >>> The IETF Secretariat >>> >>> > _______________________________________________ > Acme mailing [email protected]https://www.ietf.org/mailman/listinfo/acme > > >
_______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
