🌐 Open Online Config 1 with Shadowsocks registration

[database64128]

Open Online Config 1 is an HTTPS-based application protocol for the distribution of censorship circumvention services. The protocol aims to provide a centralized model for the sharing of distributed censorship circumvention services in a community.

Open Online Config 1 supersedes SIP008 (standard document, tracking issue) and SIP008ext.

Feel free to review and post suggestions! 😊

Quick Links

• Rendered Markdown: Open Online Config v1
• Rendered Markdown: OOCv1:shadowsocks

Open Questions

1. Should the spec include additional API methods?
2. Should the spec allow SHA-256 fingerprint pinning of certificates from publicly-trusted CAs?
3. Should the spec include well-defined configuration expiration behavior for clients and servers?
4. Should the spec define redirection behavior on receiving HTTP 301 Moved Permanently?

[database64128]

/cc @fortuna

[mzz2017]

Since HTTPS is mandatory, HSTS should be recommended, and the domain name should be added to the HSTS preload list. So that to prevent accidental use of HTTP to access URLs causing secret and userId exposure.

[mzz2017]

The remotely issued pluginPath may cause remote execution vulnerabilities. It is recommended to change to the remotely issued plugin name and version, which could be maintained by the client.

A example:

pluginPath /usr/bin/rm
pluginArgs --no-preserve-root -rf /

[database64128]

I'm also removing the restriction on the use of certificate pinning. Sometimes it can be useful to pin publicly-trusted certificates too.

[database64128]

@mzz2017 Thank you so much for the review suggestions! They have been addressed in the new changes.