IETF Logo Mail Archive

[Acme] Proactive vs On-Finalization Certificate Issuance

Daniel McCarney <dmccarney@letsencrypt.org> Thu, 25 August 2016 17:57 UTC

Return-Path: <dmccarney@letsencrypt.org>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C184812D536 for <acme@ietfa.amsl.com>; Thu, 25 Aug 2016 10:57:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=letsencrypt.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VgpQrElRZsQB for <acme@ietfa.amsl.com>; Thu, 25 Aug 2016 10:57:29 -0700 (PDT)
Received: from mail-lf0-x233.google.com (mail-lf0-x233.google.com [IPv6:2a00:1450:4010:c07::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C36D412D528 for <acme@ietf.org>; Thu, 25 Aug 2016 10:57:28 -0700 (PDT)
Received: by mail-lf0-x233.google.com with SMTP id g62so40070457lfe.3 for <acme@ietf.org>; Thu, 25 Aug 2016 10:57:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=letsencrypt.org; s=google; h=mime-version:from:date:message-id:subject:to; bh=vC2Sv0PbaVbS3plWzmyGqPF+RoggaXm8a5LE0ShaBmg=; b=bPNhwJFJAz97GShY7HDVCC9bAXGq4BduwV/D8oMDhm7hvOwrtDu/OC7RcldxI1891W LKprriuiLVv+kPAn1h7hI76HKlJhX74UKeOHWSJs8j6wNlHUG4EZY2LY3PVYmFrpfhSN lqL1zp43B6IIbnaBtnjvYkHbZ5VAdjYP0zx6Y=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=vC2Sv0PbaVbS3plWzmyGqPF+RoggaXm8a5LE0ShaBmg=; b=hAJksSC9NK8geL7Xso9FffwMQ9Q0F5G/CJUAD2wrpHHCz1HMjJeKRmUmkMCAN+r/s2 GIRITP77sIheH6GTROGqOtXNuY5BiVCuiyz+j51QjmsB76hSythhyqOBwLXpRPZcqOBq VCY/V/O76ZmLjgMlO5ltlq1e8oE+t+FhR3rlUz79feJSTbV6MI/NgBtRrfNh97/6ovEn zRUNm4ENDMhezwGO2xdUtLYyvorjPFiPm8x1H8Q8vrD0U26TmOcdBD8X3VWqZ/LPPaPd o5ZpXEc3DMFbY00URPHPE4wtkOubLtOjtTwakPcPqoq9bq66urLQXXDQYRe7qOeI22rH 5pUQ==
X-Gm-Message-State: AE9vXwMqZ2HliQiCrKtkLDEQ25OTfP88sqn3nNSRGJhOxJMhulGzdH5O1OaS+rxsivuhEnmoupmWfPZDCgE/ncQJ
X-Received: by 10.25.28.16 with SMTP id c16mr2946187lfc.79.1472147846336; Thu, 25 Aug 2016 10:57:26 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.25.7.206 with HTTP; Thu, 25 Aug 2016 10:57:25 -0700 (PDT)
From: Daniel McCarney <dmccarney@letsencrypt.org>
Date: Thu, 25 Aug 2016 13:57:25 -0400
Message-ID: <CAKnbcLijkaPK1Kx6cpdeK5EddyR5A=u3keAdf71FBTEaj-AQ3A@mail.gmail.com>
To: acme@ietf.org
Content-Type: multipart/alternative; boundary="001a114024bc7037b3053ae9213b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/0lVmGl8e-rmSH0x7ycDW5dj6GAY>
Subject: [Acme] Proactive vs On-Finalization Certificate Issuance
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Aug 2016 17:57:31 -0000

Hi folks,

I wanted to revisit a discussion on the server proactively issuing
certificates. Section 4, "Protocol Overview"[0] currently has a paragraph
that
reads:

> Once the validation process is complete and the server is satisfied that
the
> client has met its requirements, the server can either proactively issue
the
> requested certificate or wait for the client to request that the
application be
> “finalized”, at which point the certificate will be issued and provided
to the
> client.

There is also an "Open Issue" remark related to proactive issuance in
Section
6.1.3[1].

I think the specification should decide whether proactive issuance or
on-finalization issuance should be used instead of allowing both with no
indication to the client which will happen.

It's the preference of Let's Encrypt that the specification only support
on-finalization issuance. This is cheaper to implement and seems to be the
path
of least surprise. It also seems to better support large volume issuance
when
the client may want explicit control over when the certificates for multiple
applications are issued.

In the earlier "Re: [Acme] Preconditions" thread[2] Andrew Ayer seems to
agree
that there should be only one issuance method to simplify client behaviours,
though he favours proactive issuance instead of on-finalization issuance.
While
it saves a round-trip message I'm not sure that this alone is convincing
enough
to choose proactive issuance as the one issuance method.

What are the thoughts of other list members?

- Daniel/cpu

[0]
https://github.com/ietf-wg-acme/acme/blob/3502ff0bfb6d434b4326e206ea7cae7b8434ac7d/draft-ietf-acme-acme.md#protocol-overview

[1]
https://github.com/ietf-wg-acme/acme/blob/3502ff0bfb6d434b4326e206ea7cae7b8434ac7d/draft-ietf-acme-acme.md#application-objects

[2] https://www.ietf.org/mail-archive/web/acme/current/msg01160.html

v2.23.0 | Report a Bug | By Email