[Acme] Proactive vs On-Finalization Certificate Issuance
Daniel McCarney <dmccarney@letsencrypt.org> Thu, 25 August 2016 17:57 UTC
Return-Path: <dmccarney@letsencrypt.org>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C184812D536 for <acme@ietfa.amsl.com>; Thu, 25 Aug 2016 10:57:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=letsencrypt.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VgpQrElRZsQB for <acme@ietfa.amsl.com>; Thu, 25 Aug 2016 10:57:29 -0700 (PDT)
Received: from mail-lf0-x233.google.com (mail-lf0-x233.google.com [IPv6:2a00:1450:4010:c07::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C36D412D528 for <acme@ietf.org>; Thu, 25 Aug 2016 10:57:28 -0700 (PDT)
Received: by mail-lf0-x233.google.com with SMTP id g62so40070457lfe.3 for <acme@ietf.org>; Thu, 25 Aug 2016 10:57:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=letsencrypt.org; s=google; h=mime-version:from:date:message-id:subject:to; bh=vC2Sv0PbaVbS3plWzmyGqPF+RoggaXm8a5LE0ShaBmg=; b=bPNhwJFJAz97GShY7HDVCC9bAXGq4BduwV/D8oMDhm7hvOwrtDu/OC7RcldxI1891W LKprriuiLVv+kPAn1h7hI76HKlJhX74UKeOHWSJs8j6wNlHUG4EZY2LY3PVYmFrpfhSN lqL1zp43B6IIbnaBtnjvYkHbZ5VAdjYP0zx6Y=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=vC2Sv0PbaVbS3plWzmyGqPF+RoggaXm8a5LE0ShaBmg=; b=hAJksSC9NK8geL7Xso9FffwMQ9Q0F5G/CJUAD2wrpHHCz1HMjJeKRmUmkMCAN+r/s2 GIRITP77sIheH6GTROGqOtXNuY5BiVCuiyz+j51QjmsB76hSythhyqOBwLXpRPZcqOBq VCY/V/O76ZmLjgMlO5ltlq1e8oE+t+FhR3rlUz79feJSTbV6MI/NgBtRrfNh97/6ovEn zRUNm4ENDMhezwGO2xdUtLYyvorjPFiPm8x1H8Q8vrD0U26TmOcdBD8X3VWqZ/LPPaPd o5ZpXEc3DMFbY00URPHPE4wtkOubLtOjtTwakPcPqoq9bq66urLQXXDQYRe7qOeI22rH 5pUQ==
X-Gm-Message-State: AE9vXwMqZ2HliQiCrKtkLDEQ25OTfP88sqn3nNSRGJhOxJMhulGzdH5O1OaS+rxsivuhEnmoupmWfPZDCgE/ncQJ
X-Received: by 10.25.28.16 with SMTP id c16mr2946187lfc.79.1472147846336; Thu, 25 Aug 2016 10:57:26 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.25.7.206 with HTTP; Thu, 25 Aug 2016 10:57:25 -0700 (PDT)
From: Daniel McCarney <dmccarney@letsencrypt.org>
Date: Thu, 25 Aug 2016 13:57:25 -0400
Message-ID: <CAKnbcLijkaPK1Kx6cpdeK5EddyR5A=u3keAdf71FBTEaj-AQ3A@mail.gmail.com>
To: acme@ietf.org
Content-Type: multipart/alternative; boundary="001a114024bc7037b3053ae9213b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/0lVmGl8e-rmSH0x7ycDW5dj6GAY>
Subject: [Acme] Proactive vs On-Finalization Certificate Issuance
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Aug 2016 17:57:31 -0000
Hi folks, I wanted to revisit a discussion on the server proactively issuing certificates. Section 4, "Protocol Overview"[0] currently has a paragraph that reads: > Once the validation process is complete and the server is satisfied that the > client has met its requirements, the server can either proactively issue the > requested certificate or wait for the client to request that the application be > “finalized”, at which point the certificate will be issued and provided to the > client. There is also an "Open Issue" remark related to proactive issuance in Section 6.1.3[1]. I think the specification should decide whether proactive issuance or on-finalization issuance should be used instead of allowing both with no indication to the client which will happen. It's the preference of Let's Encrypt that the specification only support on-finalization issuance. This is cheaper to implement and seems to be the path of least surprise. It also seems to better support large volume issuance when the client may want explicit control over when the certificates for multiple applications are issued. In the earlier "Re: [Acme] Preconditions" thread[2] Andrew Ayer seems to agree that there should be only one issuance method to simplify client behaviours, though he favours proactive issuance instead of on-finalization issuance. While it saves a round-trip message I'm not sure that this alone is convincing enough to choose proactive issuance as the one issuance method. What are the thoughts of other list members? - Daniel/cpu [0] https://github.com/ietf-wg-acme/acme/blob/3502ff0bfb6d434b4326e206ea7cae7b8434ac7d/draft-ietf-acme-acme.md#protocol-overview [1] https://github.com/ietf-wg-acme/acme/blob/3502ff0bfb6d434b4326e206ea7cae7b8434ac7d/draft-ietf-acme-acme.md#application-objects [2] https://www.ietf.org/mail-archive/web/acme/current/msg01160.html
- [Acme] Proactive vs On-Finalization Certificate I… Daniel McCarney
- Re: [Acme] Proactive vs On-Finalization Certifica… Richard Barnes
- Re: [Acme] Proactive vs On-Finalization Certifica… Andrew Ayer
- Re: [Acme] Proactive vs On-Finalization Certifica… Daniel McCarney
- Re: [Acme] Proactive vs On-Finalization Certifica… Richard Barnes
- Re: [Acme] Proactive vs On-Finalization Certifica… Daniel McCarney
- Re: [Acme] Proactive vs On-Finalization Certifica… Roland Bracewell Shoemaker
- Re: [Acme] Proactive vs On-Finalization Certifica… Roland Bracewell Shoemaker
- Re: [Acme] Proactive vs On-Finalization Certifica… Daniel McCarney
- Re: [Acme] Proactive vs On-Finalization Certifica… Jacob Hoffman-Andrews
- Re: [Acme] Proactive vs On-Finalization Certifica… Jacob Hoffman-Andrews