Re: [Acme] ARI: Indication if certificate will be revoked

Seo Suchan <tjtncks@gmail.com> Wed, 22 March 2023 16:59 UTC

Return-Path: <tjtncks@gmail.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9B2AAC15C283 for <acme@ietfa.amsl.com>; Wed, 22 Mar 2023 09:59:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.595
X-Spam-Level:
X-Spam-Status: No, score=-0.595 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, FROM_LOCAL_NOVOWEL=0.5, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=0.999, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n_F7tA1F9Z1N for <acme@ietfa.amsl.com>; Wed, 22 Mar 2023 09:59:19 -0700 (PDT)
Received: from mail-pl1-x631.google.com (mail-pl1-x631.google.com [IPv6:2607:f8b0:4864:20::631]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 25365C169526 for <acme@ietf.org>; Wed, 22 Mar 2023 09:55:14 -0700 (PDT)
Received: by mail-pl1-x631.google.com with SMTP id k2so19843761pll.8 for <acme@ietf.org>; Wed, 22 Mar 2023 09:55:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; t=1679504113; h=in-reply-to:subject:from:references:to:content-language:user-agent :mime-version:date:message-id:from:to:cc:subject:date:message-id :reply-to; bh=nbEtJ/qwbMZT976+jOT0PP8JevW+xVV64w44yR/D2Jo=; b=UFr5xJdia67l78MVm7YFr3z8PfV3reQSatccMrrzuwHJD9P726NOxDJ4S+/xoNId4Y XEC9gNHsiZYBLUy6PJQD8n5pwlThvF9ZEd+sbLO4Vq59PwKHkLVZvMlgw+G49kQd+zly FiRCp0W5beMDpMup5BREI2MLEaymSMGhRrDR/FtCMHGKN9WkXIz+5RnejTJrPUvxJ+sq lOnT9ogQEEeQGxyXsQsPisE7FUd46oEztsNbiBeXg+OI0DmX87VYBxW6jZJYaTiMnOl2 vMgFmVXJeEhkdpVPAmhPZbTrEi10m7rjHvY81PRf79v2U5JEM1TrOCfDAi11jQwE+zB5 ymqg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1679504113; h=in-reply-to:subject:from:references:to:content-language:user-agent :mime-version:date:message-id:x-gm-message-state:from:to:cc:subject :date:message-id:reply-to; bh=nbEtJ/qwbMZT976+jOT0PP8JevW+xVV64w44yR/D2Jo=; b=JCad0yqn9cjdbDzNhMxPeBwQtVxZZta3H6/6zv0fWgC5LO1xtY8WK/aFAzVhoo+VDZ bOp6hO8u1yBGx+9Pycq9kTEWMRzOubIsqKpJP6rp1sF8v4sZUDYqoOxE3FNf/TBThhXU pKgaLHmDVCHwJxIzRpH/7tu4JQH2gGytaW2dO44yaXTgZWBML+SiDcE2qStrBbzw1+r1 WIc56AgdLxx0hZOMCLYTIBa3tOYVh9QIVtq7q4TnmRsUqQaag7uXHj9Ea/gNP7y7/BqN oRRxNNhJ768Tay4ld+LNp8UlYsXswEAJJnQC6kRJKL+yc78tUXLtzkNyhPaNbK/OaECM M8nA==
X-Gm-Message-State: AO0yUKWAtac/ZEaXDVbYlXfZPQL17ReASf7Z2q/4m4FdVm4pTwLj4HXY Hi0al0z2YZ8BQBOVtcGw0KJrucgS7F8Bhg==
X-Google-Smtp-Source: AK7set8K5SGvstZJ0Eeoe5MKHqNUnX+RtVm/ki9va/vOxkqdE9uWp5f5M1Zs8KcQ4DxrtpXInxYp8Q==
X-Received: by 2002:a17:902:f98b:b0:1a0:50bd:31bf with SMTP id ky11-20020a170902f98b00b001a050bd31bfmr2990171plb.32.1679504113004; Wed, 22 Mar 2023 09:55:13 -0700 (PDT)
Received: from [192.168.9.2] ([118.32.103.160]) by smtp.gmail.com with ESMTPSA id u12-20020a170902a60c00b0019cb6222691sm3116422plq.133.2023.03.22.09.55.08 for <acme@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 22 Mar 2023 09:55:10 -0700 (PDT)
Content-Type: multipart/alternative; boundary="------------qSw2J00RFGFZXYeRU0RIH1n5"
Message-ID: <e4ea42b9-158e-7b5a-67b4-adc93b63dd32@gmail.com>
Date: Thu, 23 Mar 2023 01:55:06 +0900
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.9.0
Content-Language: en-US
To: acme@ietf.org
References: <20230322103538.975d953c92be1463f2347a4e@andrewayer.name> <CAMh843vm-pneDF6SvhT2S+s_9XZqXk0TLqm5qXZzfnbwEVC6Bg@mail.gmail.com>
From: Seo Suchan <tjtncks@gmail.com>
In-Reply-To: <CAMh843vm-pneDF6SvhT2S+s_9XZqXk0TLqm5qXZzfnbwEVC6Bg@mail.gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/6GPhqSMrIIB5s1iOVFcOrfk1iGc>
Subject: Re: [Acme] ARI: Indication if certificate will be revoked
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Mar 2023 16:59:23 -0000

IIRC it was dual purpose: state some randomish time to reduce load spike 
at 12:00AM or mass renewal after mass revocation event, and order renew 
when revocation is imminent.

I think it's pretty safe to say IFF ARI time changes from what it's set 
just after certificate creation, you could guess there will be 
revocation for that leaf certificate.

2023-03-23 오전 1:46에 Amir Omidi 이(가) 쓴 글:
> My concern with this is that it creates a bit of a requirement to 
> revoke by/on that time, which doesn't seem to be the intent of ARI I 
> think?
>
> Also what should the precision of this time field be? day/hour/etc?
>
> On Wed, Mar 22, 2023 at 10:35 AM Andrew Ayer <agwa@andrewayer.name> wrote:
>
>     I'm working on adding an ARI client to a certificate monitoring
>     service
>     to notify users when one of their certificates is scheduled to be
>     revoked.  Unfortunately, ARI doesn't currently convey whether the
>     suggestedWindow is mandatory (because the certificate is going to be
>     revoked) or merely advisory.
>
>     I had previously thought that an end time that was earlier than the
>     certificate's expiration would indicate an upcoming revocation, but it
>     appears that Let's Encrypt's ARI endpoint routinely specifies an end
>     time that is ~30 days earlier than the certificate's expiration.
>
>     I propose that the renewalInfo object contain a nullable field called
>     revocationTime which specifies the time the certificate is going to be
>     revoked, if applicable.
>
>     Regards,
>     Andrew
>
>     _______________________________________________
>     Acme mailing list
>     Acme@ietf.org
>     https://www.ietf.org/mailman/listinfo/acme
>
>
> _______________________________________________
> Acme mailing list
> Acme@ietf.org
> https://www.ietf.org/mailman/listinfo/acme