On 08/31/2018 03:08 PM, Richard Barnes wrote:
ISSUE 1. Should we do POST-as-GET at all, vs. keeping GET and doing
the privacy analysis?
Agreed we're solved on this.
ISSUE 2: How should we signal that POST-as-GET request is different
from other POST requests?
Started a separate thread on this.
ISSUE 3: Should servers be required to allow GET requests for
certificate URLs?
I'm not convinced this is absolutely necessary for the STAR use case,
and I'm still not thrilled about carving out exceptions, but I'm okay
leaving this as a MAY GET in the interests of landing the change.
ISSUE 4: How should we address the risk that an attacker can discover
URLs by probing for Unauthorized vs. Not Found?
There seemed to be agreement on the list that this should be addressed
with some guidance to servers on how to assign URLs. I have just
added some text to the PR for this.
This seems like a good plan to me.
_______________________________________________
Acme mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/acme
