IETF Logo Mail Archive

Re: [Acme] ARI: Indication if certificate will be revoked

Andrew Ayer <agwa@andrewayer.name> Wed, 22 March 2023 20:31 UTC

Return-Path: <agwa@andrewayer.name>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2728DC14CEFC for <acme@ietfa.amsl.com>; Wed, 22 Mar 2023 13:31:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.097
X-Spam-Level:
X-Spam-Status: No, score=-7.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=andrewayer.name
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mnzPrNW4HSC3 for <acme@ietfa.amsl.com>; Wed, 22 Mar 2023 13:31:35 -0700 (PDT)
Received: from thomson.beanwood.com (thomson.beanwood.com [IPv6:2600:1f16:719:be00:5c48:f083:d884:d130]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3372FC15C28F for <acme@ietf.org>; Wed, 22 Mar 2023 13:31:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=andrewayer.name; s=beanwood20160511; t=1679517093; bh=Kf5Uj4djVzKVHOnSi4wxTNnf2qRd/E8QyyFoedWnwlY=; h=Date:From:To:Cc:Subject:In-Reply-To:References; b=OG2kJQQOmQpC+YNg8HOd8ag3NsBfLb4WbqJOtVYzFemkGFUzNEacZWXBX3P7MAtpv 5PFWu2iZo/1MvZP3hkf9FwMxO/A+f53CKVLU4Nu3F+yaVNOKKOwHW/eWYCTZANzaNj Gwm1NY9AalUGpbv/fxuOYI+v8m7j8xuWIj0qUhMwsdNSroSZ20p91343z2SeCX5FT7 8R4pqNZpeUmFw/+J/qvjVp8svkKD5IVJU9H5BmzARv0aSh0uohbaDAGAtSvCMU3CtX oQk241igwydFXHcM8yUnMmH78o+6cABNJBvUwvoLtFGU0eIowbJsID5K2CUSMofEDk iaZd8E6hft2Dg==
Date: Wed, 22 Mar 2023 16:30:33 -0400
From: Andrew Ayer <agwa@andrewayer.name>
To: Seo Suchan <tjtncks@gmail.com>
Cc: acme@ietf.org
Message-Id: <20230322163033.dfd6b57f5cf8e2c81fb2a218@andrewayer.name>
In-Reply-To: <e4ea42b9-158e-7b5a-67b4-adc93b63dd32@gmail.com>
References: <20230322103538.975d953c92be1463f2347a4e@andrewayer.name> <CAMh843vm-pneDF6SvhT2S+s_9XZqXk0TLqm5qXZzfnbwEVC6Bg@mail.gmail.com> <e4ea42b9-158e-7b5a-67b4-adc93b63dd32@gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/2bPezi4pUq76HAOPtb32PlzQYDg>
Subject: Re: [Acme] ARI: Indication if certificate will be revoked
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Mar 2023 20:31:39 -0000

On Thu, 23 Mar 2023 01:55:06 +0900
Seo Suchan <tjtncks@gmail.com> wrote:

> I think it's pretty safe to say IFF ARI time changes from what it's
> set just after certificate creation, you could guess there will be 
> revocation for that leaf certificate.

I don't think that's a safe assumption - the CA could be adjusting its
renewal window for all certificates.

There are probably other heuristics that could be used (like whether
the window differs significantly from other certificates issued by the
CA), or you could try to scrape explanationURL, but it would be much
more reliable if this could just be conveyed in the ARI document.

Regards,
Andrew

v2.23.0 | Report a Bug | By Email