Consider disallowing POST-as-GET for renewalInfo

aarongable / draft-acme-ari

Internet Draft for the Automated Certificate Management Environment (ACME) Renewal Information (ARI) Extension

Other

4 stars 7 forks source link

Consider disallowing POST-as-GET for renewalInfo #3

Closed aarongable closed 2 years ago

aarongable commented 2 years ago

The renewalInfo objects are going to be queried very frequently, and their data is highly cacheable. The draft should take a stronger stance and disallow POST-as-GET entirely.

This was suggested during the ACME WG interim meeting, but I forget by which participant.

jcjones commented 2 years ago

Yes, this will be necessary for adoption.

jcjones commented 2 years ago

Specifically, we wouldn't be able to roll this out unless it can be cached. The database load for also verifying an account signature on each renewal check -- which could be even more often than OCSP checks -- would be very difficult to manage without significant architecture changes.