Return-Path: <ounsworth@gmail.com>
X-Original-To: acme@mail2.ietf.org
Delivered-To: acme@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1])
	by mail2.ietf.org (Postfix) with ESMTP id 90B11A630BC9
	for <acme@mail2.ietf.org>; Sun, 11 Jan 2026 16:29:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.098
X-Spam-Level: 
X-Spam-Status: No, score=-1.098 tagged_above=-999 required=5
	tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
	DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001,
	FREEMAIL_REPLY=1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001,
	SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key)
	header.d=gmail.com
Received: from mail2.ietf.org ([166.84.6.31])
	by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id y8jZYKOnqGTd for <acme@mail2.ietf.org>;
	Sun, 11 Jan 2026 16:29:45 -0800 (PST)
Received: from mail-oo1-xc34.google.com (mail-oo1-xc34.google.com
 [IPv6:2607:f8b0:4864:20::c34])
	(using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
	 key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256)
	(No client certificate requested)
	by mail2.ietf.org (Postfix) with ESMTPS id 40853A630BBF
	for <acme@ietf.org>; Sun, 11 Jan 2026 16:29:45 -0800 (PST)
Received: by mail-oo1-xc34.google.com with SMTP id
 006d021491bc7-65ec86c5e70so3544498eaf.3
        for <acme@ietf.org>; Sun, 11 Jan 2026 16:29:45 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1768177778; x=1768782578; darn=ietf.org;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:from:to:cc:subject:date:message-id:reply-to;
        bh=hHf8qnxxoFEWLJU6j1v3seEe/VRZkfTp83J3BZQWn3Q=;
        b=BA77pcWMTV8QcvJKuBP2yVCSTSAQfA5JTX9CxwrMHAIwCPkIooyeE35JWtH1OatlRY
         YxMdEjQaNIKe8gmaHfYAf6NkX9PODfZ3kpzPmqlyUWPXIhFz4bfGv3yXQD9lGPb+dLBE
         UDShDNotyoksPlfu92RRvQ0tIz2jXY7rQwkpMFDP/hL3OzIGooL9qtWgxgPFDgZWaHDo
         6LiWeFKfVO49t3IGRMrs+bxid3x5MVCa0xUjlG1M3S1ASlTFTb63B0AFUA8nWQW0vrPC
         ky0NeecGeVNaoP99eFPSol57wc+XaV9+P53z/XVLYbCTV3uxSTRbW7zZKh0oOlUmVU4b
         eMyQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1768177778; x=1768782578;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=hHf8qnxxoFEWLJU6j1v3seEe/VRZkfTp83J3BZQWn3Q=;
        b=Zqdm8lj/yRJgUZAdZ8d6UOwkI3MDImdx8FSVchVRE3fWsv0iroP2PM1oOAtxXsZ66f
         /cHFdlz5Co6YOZ3PXyaDKaAfaV13kZfi/d/kqs5GN9sAdUQNC9hI8qltpLy9HCYKkenX
         VvWoKb5r5dhjACIb5hxs3xGXaZJDsI+IurTF7TSQzC/h+7s2OEut036hk6gY4hnZyQ/6
         TJErTbLXzXInpJj9udu1DyujRaNVFORlmmpBRJgM8UuEzFdDssPcbzfURi54nP9IvSMJ
         d/+1UT+wgMWxm6M8ID5GcgwpHSR4caUBAPyQvRaDU2LJxIUY9cBxeUNqMDixn8VKawn5
         Lpng==
X-Forwarded-Encrypted: i=1;
 AJvYcCW1SlxPFIm9ZY2z6WCmeaC/T8LnPF7PaqNZEhTp61Itm1dkOwNRTnLF5D50hYzogeVMmeki@ietf.org
X-Gm-Message-State: AOJu0Ywx0VcmmoLqRZJhRUaqy5+qSH3KNokFYFBOqjenByb/6gOY45de
	Ke8UtnLF7DRFFMj4N5w6hnDNJv8thMyudCskbrfTs8/bqfNzJTKRWxxBPIpKZr5gahLc2BCA6U6
	T+X1cXHWYZ9OifwwFNIJ0itw0PHIZHOI=
X-Gm-Gg: AY/fxX4oCtXaCcs79XStGzCbNb7EicrZhP242mUuSiAO8Cmjh6cYQpaZ3PnKbRkulVw
	Gf7RhJZYMMqLG0wJd1L8w6SlElvKl2vmERwOaznRSCHzYiKg7aSF0Vz3Ph6QdxMVvTFcDrzisKh
	u7aJ4eK0hDa2kBwmqHPMY+1NJ3D8CRMLgCgV/FMHGfJauUxzSRDF4f4em7tVU8m69/QAARuGrlE
	0LEtESKhhPVIWc+qxV86EVTyOPZwDrIIJcCDbZ+nt84zP7Y11jvYTzlGOgdes3evX6i6YRuQXPD
	EIq2dTs=
X-Google-Smtp-Source: 
 AGHT+IGocqP9NOMsgH4LusYq4+rmRKmQIFYWCx/PI6zoRHnAbB/L/lNmE/zlwr/5gxCDx8k/3wsZUh4fAUi96o3248M=
X-Received: by 2002:a05:6820:611:b0:659:9a49:8eb8 with SMTP id
 006d021491bc7-65f54f7e3a0mr8211457eaf.60.1768177778349; Sun, 11 Jan 2026
 16:29:38 -0800 (PST)
MIME-Version: 1.0
References: 
 <CAKZgXHqkK--vPiC35O5dA7W9x_dBzss4Me0ymLoyURUE8Uq6zA@mail.gmail.com>
 <CAEmnErcw-2JunoUZs6jXj1GienP9EHa9F7yuHM8rb5xxXy3+Nw@mail.gmail.com>
In-Reply-To: 
 <CAEmnErcw-2JunoUZs6jXj1GienP9EHa9F7yuHM8rb5xxXy3+Nw@mail.gmail.com>
From: Mike Ounsworth <ounsworth+ietf@gmail.com>
Date: Sun, 11 Jan 2026 18:29:27 -0600
X-Gm-Features: AZwV_QgZeBPPd5Jr1icu0Y4uh62LqIJ0ihnitDMVv9IWVWi40fAeSRCqIWVjXjI
Message-ID: 
 <CAKZgXHpjsjoa19pxTqQwWj1Amqd+h0T4j3+OXaQgto96_ZhWWg@mail.gmail.com>
To: Aaron Gable <aaron@letsencrypt.org>
Content-Type: multipart/alternative; boundary="00000000000060ddcb064825f8d1"
Message-ID-Hash: APNGSGI24AHHLR6TKXQ4YZ5IELIJENAP
X-Message-ID-Hash: APNGSGI24AHHLR6TKXQ4YZ5IELIJENAP
X-MailFrom: ounsworth@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency;
 loop; banned-address; member-moderation; header-match-acme.ietf.org-0;
 nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size;
 news-moderation; no-subject; digests; suspicious-header
CC: draft-ietf-acme-profiles@ietf.org, IETF ACME <acme@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: =?utf-8?q?=5BAcme=5D_Re=3A_Comment_on_draft-ietf-acme-profiles_about_change_?=
	=?utf-8?q?management?=
List-Id: Automated Certificate Management Environment <acme.ietf.org>
Archived-At: 
 <https://mailarchive.ietf.org/arch/msg/acme/2cwTnSX7GnUqMFDdyl2R0pZzE18>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Owner: <mailto:acme-owner@ietf.org>
List-Post: <mailto:acme@ietf.org>
List-Subscribe: <mailto:acme-join@ietf.org>
List-Unsubscribe: <mailto:acme-leave@ietf.org>

--00000000000060ddcb064825f8d1
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Hmm. ok.

PS I didn't "length of the validation chain" as in "whether or not the CA
servers the intermediate", I meant, like, the CA actually physically adds
or removes a layer of CA. I think I'm thinking that the PQ era will involve
changes larger than the changes we've seen over the past decade, but I'm
also ok to leave it.

On Fri, 9 Jan 2026 at 17:03, Aaron Gable <aaron@letsencrypt.org> wrote:

> Hi Mike,
>
> Responding to pull-quotes inline below:
>
> On Thu, Jan 8, 2026 at 4:36=E2=80=AFPM Mike Ounsworth <ounsworth+ietf@gma=
il.com>
> wrote:
>
>> I think there's an assumption here that the CA is free to evolve their
>> offered profiles over time;
>>
>
> Yes, they are, and they always have been: every ACME CA for the last
> decade has been evolving their single default profile over time to keep u=
p
> with changing requirements and best practices.
>
>
>> But then, how much change is too much change that the CA really ought to
>> declare a new profile and deprecate the old one?
>>
>
> That's a very, very high bar. Note that the draft says that requests for
> an unrecognized profile MUST be rejected by the CA. This means that fully
> deprecating a profile breaks all clients which are explicitly requesting
> that profile, until their operators notice and update their profile
> configuration.
>
> This is on purpose. We believe that if a client is requesting a specific
> profile, it is probably doing so for good reason (especially given that a=
ll
> ACME clients have gotten along just fine with only a single default profi=
le
> for the last decade). It would be surprising for a client to request
> profile `foo` and instead get an order with profile `bar` because the CA
> has deprecated `foo`.
>
> But this also means that CAs should generally not design profiles with th=
e
> intent to deprecate them. In turn, "versioning" profiles will cause site
> operators to have to update their requested profile configuration
> frequently, and/or require the CA to support many ancient version numbers
> lest they risk breaking anyone requesting that specific version.
>
> I think that any mention of versioning (whether normative or merely a
> suggestion) within this draft will lead both CAs and clients to believe
> that profiles are meant to be immutable, and that way lies sadness. If
> there is to be any discussion of versioning within this document, I would
> want it to be an exhortation against versioning, as it breaks the
> longstanding contract of "trust the CA to make the best decision possible
> given the current regulatory environment".
>
> Thanks,
> Aaron
>
> P.S.:
>
>
>> if you changed the length of the CA cert path,
>>
>
> Note that, in ACME, the length of the validation chain shouldn't be
> influenced by the profile; that's instead controlled post hoc via link
> rel=3Dalternate headers on the certificate download.
>

--00000000000060ddcb064825f8d1
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div>Hmm. ok.</div><div><br></div><div>PS I didn&#39;t &qu=
ot;length of the validation chain&quot; as in &quot;whether or not the CA s=
ervers the intermediate&quot;, I meant, like, the CA actually physically ad=
ds or removes a layer of CA. I think I&#39;m thinking that the PQ era will =
involve changes larger than the changes we&#39;ve seen over the past decade=
, but I&#39;m also ok to leave it.</div></div><br><div class=3D"gmail_quote=
 gmail_quote_container"><div dir=3D"ltr" class=3D"gmail_attr">On Fri, 9 Jan=
 2026 at 17:03, Aaron Gable &lt;<a href=3D"mailto:aaron@letsencrypt.org">aa=
ron@letsencrypt.org</a>&gt; wrote:<br></div><blockquote class=3D"gmail_quot=
e" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204)=
;padding-left:1ex"><div dir=3D"ltr"><div dir=3D"ltr">Hi Mike,</div><div dir=
=3D"ltr"><br></div><div dir=3D"ltr">Responding to pull-quotes inline below:=
<br><div><br></div><div>On Thu, Jan 8, 2026 at 4:36=E2=80=AFPM Mike Ounswor=
th &lt;<a href=3D"mailto:ounsworth%2Bietf@gmail.com" target=3D"_blank">ouns=
worth+ietf@gmail.com</a>&gt; wrote:</div></div><div class=3D"gmail_quote"><=
blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-l=
eft:1px solid rgb(204,204,204);padding-left:1ex"><div dir=3D"ltr"><div>I th=
ink there&#39;s an assumption here that the CA is free to evolve their offe=
red profiles over time;</div></div></blockquote><div><br></div><div>Yes, th=
ey are, and they always have been: every ACME CA for the last decade has be=
en evolving their single default profile over time to keep up with changing=
 requirements and best practices.</div><div>=C2=A0</div><blockquote class=
=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rg=
b(204,204,204);padding-left:1ex"><div dir=3D"ltr"><div>But then, how much c=
hange is too much change that the CA really ought to declare a new profile =
and deprecate the old one?</div></div></blockquote><div><br></div><div>That=
&#39;s a very, very high bar. Note that the draft says that requests for an=
 unrecognized profile MUST be rejected by the CA. This means that fully dep=
recating a profile breaks all clients which are explicitly requesting that =
profile, until their operators notice and update their profile configuratio=
n.</div><div><br></div><div>This is on purpose. We believe that if a client=
 is requesting a specific profile, it is probably doing so for good reason =
(especially given that all ACME clients have gotten along just fine with on=
ly a single default profile for the last decade). It would be surprising fo=
r a client to request profile `foo` and instead get an order with profile `=
bar` because the CA has deprecated `foo`.</div><div><br></div><div>But this=
 also means that CAs should generally not design profiles with the intent t=
o deprecate them. In turn, &quot;versioning&quot; profiles will cause site =
operators to have to update their requested profile configuration frequentl=
y, and/or require the CA to support many ancient version numbers lest=C2=A0=
they risk breaking anyone requesting that specific version.</div><div><br><=
/div><div>I think that any mention of versioning (whether normative or mere=
ly a suggestion) within this draft will lead both CAs and clients to believ=
e that profiles are meant to be immutable, and that way lies sadness. If th=
ere is to be any discussion of versioning within this document, I would wan=
t it to be an exhortation against versioning, as it breaks the longstanding=
 contract of &quot;trust the CA to make the best decision possible given th=
e current regulatory environment&quot;.</div><div><br></div><div>Thanks,</d=
iv><div>Aaron</div><div><br></div><div>P.S.:</div><div>=C2=A0</div><blockqu=
ote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px=
 solid rgb(204,204,204);padding-left:1ex"><div dir=3D"ltr"><div>if you chan=
ged the length of the CA cert path, </div></div></blockquote><div><br></div=
><div>Note that, in ACME, the length of the validation chain shouldn&#39;t =
be influenced by the profile; that&#39;s instead controlled post hoc via li=
nk rel=3Dalternate headers on the certificate download.</div></div></div>
</blockquote></div>

--00000000000060ddcb064825f8d1--

