Alias labels to something hand-typable

[shazow]

%20-separating things is a pain, especially if I'm going to hand-wget things from CLI.

Better: case-insensitive - or _ separated names. GeoTrust%20Global%20CA+QuoVadis%20Root%20CA -> geotrust-global-ca+quovadis-root-ca

Best: fuzzy-matched names. GeoTrust%20Global%20CA+QuoVadis%20Root%20CA -> geotrust+quovadis

[Lukasa]

Yeah, I thought about this before I went to bed. It's a good idea!

However, that's a potential footgun, so I think we want three extra API endpoints as well:

1. Similar whitelist/blacklist endpoints that require exact matching. They probably won't use fun URLs but will use a request body because you may want to mention a lot of certs.
2. An endpoint you can hit that will tell you what your search string actually matches before you run it! =D

Sound good?

[shazow]

Eh dunno, multiple endpoints for different types of labels of the same thing seems superfluous.

You're deciding what the labels are anyways (from the /labels endpoint), why not just choose easier labels to deal with? Or are the name ids official somewhere?

Either way, allowing - or _ instead of spaces, and making it case-insensitive is fairly footgun-safe.

Fuzzy matching might be overkill. Maybe just prefix matching if it's unambiguous?

[Lukasa]

Hmm, this has revealed some stuff. Firstly, labels aren't unique, so I've been losing some certs. That's easy enough to fix, we'll key them off something else.

As for where the labels are coming from, they're from the trust store, I'm not giving the certs their labels. My issue with footgunning is using the /generate/ endpoint and getting more certs than you expected. Might not be a real issue though.

[shazow]

Why would you get more than you expected?

[Lukasa]

How many certs do you think the string 'geotrust' matches? Because the answer is 'lots'. You may not want to trust all of them. =)

[shazow]

Maybe just prefix matching if it's unambiguous?

Could also allow wildcard notation, geotrust*

[Lukasa]

It'd have to I think.

I think the general idea here is good, but I think you'll want to find a way to see what you're doing. Additionally, if you do have a use-case where you want to match specific certs that URL gets long fast. Hence my thought about an extra API endpoint.

[Lukasa]

I'm not going to work on this during the day today anyway, so I'll let it stew and see if I can work out a way to do it that keeps the niceness of your API. =)

[shazow]

Or same endpoint and optionally accept a POST with the full query in the body.

But yea, we need to consider the most common scenario. I expect it'll be either:

1. You have a whitelist of CAs you trust in a file somewhere and you need the latest PEM for them. (Probably easiest to just POST the body of the file, one-id-per-line.)
2. You just want one or a handful of CAs to test something (in that case doing it in the URL is convenient).

[Lukasa]

This are also the two use-cases I expect. =) We'll get (2) working first because (1) is kinda trivial.

[Lukasa]

Alright, fuzzy matching is done and the README updated. I haven't plumbed (1) through yet, but I will.

[Lukasa]

Ok, (1) is done as well! Closing. =)

[shazow]

:cake:

[Lukasa]

FYI, at some point if you find some free time I'd love some design feedback on the website.