It appears that we missed a security issue. Please take a look at the PR mentioned below. It removes many GET requests and turns them into POST so that the client payload can have authentication information.
If you object to this change, please post a note to the list and explain why. Try to do that within a week. Thanks. From: Richard Barnes <[email protected]> Date: Thursday, August 30, 2018 at 11:42 AM To: Adam Roach <[email protected]> Cc: "[email protected]" <[email protected]>, "[email protected]" <[email protected]> Subject: Re: [Acme] Adam Roach's Discuss on draft-ietf-acme-acme-14: (with DISCUSS and COMMENT) My preference here would be for approach (1). I appreciate that it's a big change to make this late in the process, but that's the price we pay for missing a pretty significant issue up until now. For existing implementations, the code impact should be modest, as long as they have been architected to isolate fetch logic (i.e., the have a get() method that you could just change to do the right POST thing). And as long as we don't *forbid* responding to GET requests, servers can support both options for the time being. To illustrate what change we'd need to make, I went ahead and wrote up a PR: https://github.com/ietf-wg-acme/acme/pull/445<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_ietf-2Dwg-2Dacme_acme_pull_445&d=DwMFaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=4LM0GbR0h9Fvx86FtsKI-w&m=7dUyJM7__-T0aEsaHsL6mUJ8aY5ir3qquVg3g8SbiLs&s=6NSyMcFlAEWr3XtZ_GhVocgofBUBRZ3viFi5ZUdir-E&e=>
_______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
