Re: [Acme] Randomizing URLs in examples
I didn't merge, I just opened the PR so that we could have the discussion. On Sat, Oct 6, 2018, 17:44 Salz, Rich wrote: > The fact that there were open concerns does not mean that PR455 was wrong. > > > > Please undo the revert that was part of PR458. > > > > EVERYONE. Stop merging. Discuss on the list. > > > > *From: *Richard Barnes > *Date: *Saturday, October 6, 2018 at 5:38 PM > *To: *"acme@ietf.org" > *Subject: *[Acme] Randomizing URLs in examples > > > > I have opened a PR reverting Jacob's reversion of the #455 > > > > https://github.com/ietf-wg-acme/acme/pull/460 > <https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_ietf-2Dwg-2Dacme_acme_pull_460=DwMFaQ=96ZbZZcaMF4w0F4jpN6LZg=4LM0GbR0h9Fvx86FtsKI-w=BVuDxcfZ6gqvMhTwPx5_IBrSGYyRDKXFz44zpUDqYzk=-UB6HkBx9D0IC9vVtH33vUa91KYUENpYQ8Ngn63FQfo=> > > > > The randomization of examples is independent of whether you think GETs are > a good idea or not. As noted in the Security Considerations, having > different types of resources in different namespaces, with unpredictable > URLs, prevents attackers from discovering correlations if, say, a URL leaks. > > > > Any objections to this change? > > > > --Richard > ___ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme
Re: [Acme] Randomizing URLs in examples
The fact that there were open concerns does not mean that PR455 was wrong. Please undo the revert that was part of PR458. EVERYONE. Stop merging. Discuss on the list. From: Richard Barnes Date: Saturday, October 6, 2018 at 5:38 PM To: "acme@ietf.org" Subject: [Acme] Randomizing URLs in examples I have opened a PR reverting Jacob's reversion of the #455 https://github.com/ietf-wg-acme/acme/pull/460<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_ietf-2Dwg-2Dacme_acme_pull_460=DwMFaQ=96ZbZZcaMF4w0F4jpN6LZg=4LM0GbR0h9Fvx86FtsKI-w=BVuDxcfZ6gqvMhTwPx5_IBrSGYyRDKXFz44zpUDqYzk=-UB6HkBx9D0IC9vVtH33vUa91KYUENpYQ8Ngn63FQfo=> The randomization of examples is independent of whether you think GETs are a good idea or not. As noted in the Security Considerations, having different types of resources in different namespaces, with unpredictable URLs, prevents attackers from discovering correlations if, say, a URL leaks. Any objections to this change? --Richard ___ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme
[Acme] Randomizing URLs in examples
I have opened a PR reverting Jacob's reversion of the #455 https://github.com/ietf-wg-acme/acme/pull/460 The randomization of examples is independent of whether you think GETs are a good idea or not. As noted in the Security Considerations, having different types of resources in different namespaces, with unpredictable URLs, prevents attackers from discovering correlations if, say, a URL leaks. Any objections to this change? --Richard ___ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme