Re: [Acme] Content-Type and file extensions for HTTP01 challenges

2015-11-19 Thread Salz, Rich
Ø Might not that bad as long as CAs offer both versions. But we have other pending changes? because of insecure? DVSNI challenges. They should maybe coordinated and updated at once. This is an RFC-in-progress. We’re likely to settle on one version of each type.

Re: [Acme] Content-Type and file extensions for HTTP01 challenges

2015-11-19 Thread Niklas Keller
2015-11-19 20:23 GMT+01:00 Salz, Rich : > Ø I'd prefer that currently, way better than having a lot of different > specs with only minimal differences. > > We’re not going to have lots of different specs, we’re just bumping the > version number because there are already

Re: [Acme] Content-Type and file extensions for HTTP01 challenges

2015-11-18 Thread Niklas Keller
+1 for .txt, there are servers configured to serve only specific file extensions. Regards, Niklas ___ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme

Re: [Acme] Content-Type and file extensions for HTTP01 challenges

2015-11-18 Thread Bryan Livingston
Here's yet another problem reported by a user that would be solved by switching to .txt answer locations. https://github.com/Lone-Coder/letsencrypt-win-simple/issues/7 Typically web servers are already setup to host robots.txt so placing a .txt file on a server should be the least demanding

Re: [Acme] Content-Type and file extensions for HTTP01 challenges

2015-11-18 Thread Warren Kumari
On Wednesday, November 18, 2015, Bryan Livingston wrote: > Here's yet another problem reported by a user that would be solved by > switching to .txt answer locations. > > https://github.com/Lone-Coder/letsencrypt-win-simple/issues/7 > > Typically web servers are

Re: [Acme] Content-Type and file extensions for HTTP01 challenges

2015-11-18 Thread Niklas Keller
How would the transition work? Which URI does the server query then? Both? Or would the client just send the extension in the challenge answer? Regards, Niklas 2015-11-18 19:45 GMT+01:00 Ted Hardie : > On Wed, Nov 18, 2015 at 10:00 AM, Peter Eckersley wrote: >

Re: [Acme] Content-Type and file extensions for HTTP01 challenges

2015-11-18 Thread Bryan Livingston
It wouldn't break my client if the ACME servers started appending .txt to the answer location. I'm just taking that string and using it as a filename. Does the python client do the same? On Wed, Nov 18, 2015 at 11:37 AM, Niklas Keller wrote: > 2015-11-18 19:00 GMT+01:00 Peter

Re: [Acme] Content-Type and file extensions for HTTP01 challenges

2015-11-18 Thread Ted Hardie
On Wed, Nov 18, 2015 at 10:00 AM, Peter Eckersley wrote: > Sounds like we have emerging consensus around this version of 3b. Does > anyone know of anything it breaks? > > On Wed, Nov 18, 2015 at 05:51:55PM +0100, Niklas Keller wrote: > > +1 for .txt, there are servers configured

Re: [Acme] Content-Type and file extensions for HTTP01 challenges

2015-11-13 Thread Bryan Livingston
I was hoping that the server could just add a .txt to the end of the answer string location that it ask the client to make available on the web server. My client would just work with no changes in that case, and the python client might as well. On Fri, Nov 13, 2015 at 6:56 AM, Richard Barnes

[Acme] Content-Type and file extensions for HTTP01 challenges

2015-11-12 Thread Peter Eckersley
https://github.com/ietf-wg-acme/acme/pull/40 was just merged, but we didn't actually get consensus that dropping Content-Type restrictions altogether was a good idea. The options are: 0.keep the old spec (Content-Type application/jose+json, no file extensions allowed) 1 keep the

Re: [Acme] Content-Type and file extensions for HTTP01 challenges

2015-11-12 Thread Peter Eckersley
I should have added another option, 3b, drop the Content-Type restriction but allow file extensions. Sounds like that would be a win on IIS. On Thu, Nov 12, 2015 at 05:05:53PM -0800, Martin Thomson wrote: > On 12 November 2015 at 16:44, Peter Eckersley wrote: > > But is 3 the best

Re: [Acme] Content-Type and file extensions for HTTP01 challenges

2015-11-12 Thread Richard Barnes
Sorry if I pulled the trigger on that one a bit early. Happy to revise, as always. I think there was pretty feeling in the room at the IETF meeting that Content-Type checking was not doing much. Are we aware of any actual scenarios where untrusted entities can write to .well-known directories?

Re: [Acme] Content-Type and file extensions for HTTP01 challenges

2015-11-12 Thread Martin Thomson
On 12 November 2015 at 16:44, Peter Eckersley wrote: > But is 3 the best answer? Of those presented, I think so. I know that this isn't a great answer (it's bad already, so bad must be OK), but being able to drop things into .well-known opens a raft of other interesting attacks.