Return-Path: <shiloh@heurich.com>
X-Original-To: acme@mail2.ietf.org
Delivered-To: acme@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1])
	by mail2.ietf.org (Postfix) with ESMTP id 5EAA8DE46607
	for <acme@mail2.ietf.org>; Fri, 17 Apr 2026 06:37:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1;
	t=1776433043; bh=GzmPNeMRJ83eFcMxKMX6YuHNl0FfN5rro+w6W6MiEF4=;
	h=Subject:From:In-Reply-To:Date:Cc:References:To;
	b=kflf2drgJ4R2wBrVtyuAloxmUGJr6nQ7P2BBwgycXjxa6rIi1M6ZZctSFt1/y3NaT
	 SNeskMvW1Z1aEAlfcXkkioNiMtwhUTjYIjHF/NVYsdavgykZHdtDTV2QAHWagy/Hsj
	 1WHD0y0ugbRdQLdvvgS6RLx7o0HNHZglkA3PAIOQ=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level: 
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5
	tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
	DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001,
	SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key)
	header.d=heurich.com
Received: from mail2.ietf.org ([166.84.6.31])
	by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id HWwaO5cHw9LK for <acme@mail2.ietf.org>;
	Fri, 17 Apr 2026 06:37:22 -0700 (PDT)
Received: from mail-qt1-x834.google.com (mail-qt1-x834.google.com
 [IPv6:2607:f8b0:4864:20::834])
	(using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
	 key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256)
	(No client certificate requested)
	by mail2.ietf.org (Postfix) with ESMTPS id CC375DE46602
	for <acme@ietf.org>; Fri, 17 Apr 2026 06:37:22 -0700 (PDT)
Received: by mail-qt1-x834.google.com with SMTP id
 d75a77b69052e-50d9436f2adso8415581cf.3
        for <acme@ietf.org>; Fri, 17 Apr 2026 06:37:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=heurich.com; s=google; t=1776433042; x=1777037842; darn=ietf.org;
        h=to:references:message-id:content-transfer-encoding:cc:date
         :in-reply-to:from:subject:mime-version:from:to:cc:subject:date
         :message-id:reply-to;
        bh=GzmPNeMRJ83eFcMxKMX6YuHNl0FfN5rro+w6W6MiEF4=;
        b=qxPawxmMCGw2NH0PquypO5UJn+QxB9kylNokc7OzMWGeQuOb2YbzeB/BBaQnqRH+FD
         Qe5WH6yFMFeE2Sq6xTp+syn+lZJNj0wDv/dyl68vzbFE84/QuBjMcspWdPzTThvQCPTJ
         y7Gdi6wyw3PfrD3KVGGl5LO/kb+8KzT9fB0Paea2bR3hTHt9HHy4DG1tKv4UK/HGWGQS
         9GiCm2MoqSjZRaG+Eo6mGNaXJXnMZdlv1dtAz2oVXlePYi9s8qrlvuEijg6RIRarjK/c
         unfr7q8/tXy0TFwUcfb4ZVnDlvSTFx660gqNbpzU3wx9duoIyNbIQEWhGw97ZAz8xcG/
         vfsA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1776433042; x=1777037842;
        h=to:references:message-id:content-transfer-encoding:cc:date
         :in-reply-to:from:subject:mime-version:x-gm-gg:x-gm-message-state
         :from:to:cc:subject:date:message-id:reply-to;
        bh=GzmPNeMRJ83eFcMxKMX6YuHNl0FfN5rro+w6W6MiEF4=;
        b=cGy4+igjp8LEDz5M/MDvbInu0P37T3ixLbkrq+lv5XI6sIpYxqg1QD8ZswkCN5Joyh
         FLD5JjUUf2cavc9lR9YKFNGJZf0UZWZFhdmO/oC9QFnowJTA+WswXeUBvEPxdBOpGbpv
         2qf4bDsg3lPHXVV46jdUhwAqP8806ICBMoSN+J+IQPARURVggSR9XoeB0XY6KVwUo5mL
         QePnGMbNJQT6j/RDl35FCfLDZ1zT/NH1++loPK/GGhrn/1IBfCYti4Of4W+vzkNwZu7P
         8GlscSigcA8tUgQolCk1s2vS41CnMVIfAcindPXAQu33p5TcHXHPFjoPCWqfBIx03/Cu
         +cSA==
X-Gm-Message-State: AOJu0Yxv13W4bG0bX+tVuO21rcPM1yBm8xQbv2gdwvA6JuV21AfJ/9+K
	stJUiZyLAdZKEoCr2h3pv3hAuwp4B7yBZBmu4kJYBpuJTtcC/vsTcmMPJ//3riULKS4=
X-Gm-Gg: AeBDieteLbKSgRH2qUpsyef/VOZQDr/f5e6Mso6h7XwqfhamCVjVMfWH3jjkS+i7ZiP
	lP66x6re1yb6zXb+nTTb144R7opP2ZeDZO8RTTNP3QDaVOmiOQ6WUb1mMdFEo8JicqHlVgU6xXi
	a7ucpslATxRFukMIE3m1e+FBB3ddH/1fgT3i0z3zleenbbueHyraPMtf9YCFGonpHZT886OQtnG
	RkPbdNQZccsTkULpIspt+yJxR/l5kmmTowYPzY4zpmz5JNs8FDVtJBkYd+yHaGWEmMFzzePJJnD
	D4Jw3qRT9exBXB6JB7KrwqRmPBkaq2RSFWSQ9iu+Hp2H14RJHew8G8kKYvhcwXusPTukHUBUVOf
	sOD8i1QX1CllluVDzhknx4UbdW51prT52N1vxbnyOcw4sqS0+gKzwtlSwzuzgMyJvs96S9SgTSS
	dmYr/mAnEsbHw9tLU2hLHv3gz4fjo1A+C/sVeS/b2/e7dl64RX6SxGlA==
X-Received: by 2002:a05:622a:82:b0:509:34b8:a373 with SMTP id
 d75a77b69052e-50e36c0cde6mr37872041cf.32.1776433042223;
        Fri, 17 Apr 2026 06:37:22 -0700 (PDT)
Received: from smtpclient.apple ([216.245.86.140])
        by smtp.gmail.com with ESMTPSA id
 d75a77b69052e-50e392c7b26sm12610481cf.5.2026.04.17.06.37.21
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Fri, 17 Apr 2026 06:37:21 -0700 (PDT)
Content-Type: text/plain;
	charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3864.500.181\))
From: Shiloh Heurich <shiloh@heurich.com>
In-Reply-To: <EDFCDF8C-28C2-42E9-8A22-0583BEF60DD9@gmail.com>
Date: Fri, 17 Apr 2026 09:37:11 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <1C14DDF1-9CFD-4A57-ABF5-D186038E0896@heurich.com>
References: 
 <CAFg2froJTxp+kT_VdSuNs9LVqFQhO-WJZBt=-qoVQO9c8M+=Xw@mail.gmail.com>
 <CAEmnErdOBBzj+5nuZBYo0zN64zMXDeX-3sdcFBQqJirmHky2gA@mail.gmail.com>
 <0548587B-B211-4BC9-8F4F-51F30EC555E0@heurich.com>
 <EDFCDF8C-28C2-42E9-8A22-0583BEF60DD9@gmail.com>
To: Seo Suchan <tjtncks@gmail.com>
X-Mailer: Apple Mail (2.3864.500.181)
Message-ID-Hash: 3WT2FZ2D2672O5GIC4TJCSJLHAAKPG2B
X-Message-ID-Hash: 3WT2FZ2D2672O5GIC4TJCSJLHAAKPG2B
X-MailFrom: shiloh@heurich.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency;
 loop; banned-address; member-moderation; header-match-acme.ietf.org-0;
 nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size;
 news-moderation; no-subject; digests; suspicious-header
CC: acme@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: =?utf-8?q?=5BAcme=5D_Re=3A_Potential_issues_with_dns-persist-01?=
List-Id: Automated Certificate Management Environment <acme.ietf.org>
Archived-At: 
 <https://mailarchive.ietf.org/arch/msg/acme/5tOFAXS--VpF7KLQ1p-CQ0X4k-Q>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Owner: <mailto:acme-owner@ietf.org>
List-Post: <mailto:acme@ietf.org>
List-Subscribe: <mailto:acme-join@ietf.org>
List-Unsubscribe: <mailto:acme-leave@ietf.org>

> On Apr 17, 2026, at 08:09, Seo Suchan <tjtncks@gmail.com> wrote:
>=20
> How hard for an ACME CA to remember every public keys an account =
was/is tied to?

Not hard to track in a database table; the problem is what it does to =
revocation.

If old key thumbprints stay valid indefinitely, then key rotation no =
longer revokes the old key's authority over persistent records. An =
attacker who compromised a key that was later rotated away can still use =
dns-persist records containing that key's thumbprint. That's the =
opposite of what rotation is for.

You could bound it (e.g. accept keys from the last N rotations, or =
within a time window) but then clients eventually need to update DNS =
records anyway, and the CA carries the complexity of deciding which old =
keys are recent enough.

