Re: [Acme] Authorizations and Certificates in Registrations

Hugo Landau <hlandau@devever.net> Sun, 06 December 2015 00:36 UTC

Return-Path: <hlandau@devever.net>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D7F6A1A6FFE for <acme@ietfa.amsl.com>; Sat, 5 Dec 2015 16:36:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.011
X-Spam-Level:
X-Spam-Status: No, score=-2.011 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SOCoFM2EDc8Y for <acme@ietfa.amsl.com>; Sat, 5 Dec 2015 16:36:02 -0800 (PST)
Received: from umbriel.devever.net (umbriel.devever.net [149.202.51.241]) by ietfa.amsl.com (Postfix) with ESMTP id 9DAB61A1A34 for <acme@ietf.org>; Sat, 5 Dec 2015 16:36:02 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by umbriel.devever.net (Postfix) with ESMTP id A43401C855; Sun, 6 Dec 2015 01:36:01 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=devever.net; h= user-agent:in-reply-to:content-disposition:content-type :content-type:mime-version:references:message-id:subject:subject :from:from:date:date:received:received; s=mimas; t=1449362161; x=1467551522; bh=P++0HKgo+1Gem9Th4n4fZzXF74MNpKD4b04QAq3wb0E=; b= REoAEMWPQS3D7SeTXurgdFEfsWxAETN2QzOdtzX5mRz4yk0Q2s3F/xjNziiQapfc mYftPKJ/Yey3eLne5Sn8OHDGfW+nWMC0Q6je+68a7IgCOLHv7UXp++aohxK8O/7S V5l/eGykX3HglgKIb/08ZVoAGA2REMIoiScg4ptm/+ZczGmK8sI/OMpHjSuyAMtb g/1aV6lpq/OSnPjhrwi53kBnbHE1pFIWM1b3JfQXi5J5v73/CcmSMpk1b4R4hBU/ AHeLoj9+nfEq2yTtS1CXuCl0JqU8BX6BMD0asWFeprvpDHsxYKi+7qbfHh4g3/9h ph212rJvFpv5K1LE6KrgpQ==
Received: from umbriel.devever.net ([127.0.0.1]) by localhost (umbriel.devever.net [127.0.0.1]) (amavisd-new, port 10026) with LMTP id BwWiQczwo4il; Sun, 6 Dec 2015 01:36:01 +0100 (CET)
Received: from andover (localhost [127.0.0.1]) by umbriel.devever.net (Postfix) with SMTP id 6846C1C854; Sun, 6 Dec 2015 01:36:01 +0100 (CET)
Date: Sun, 6 Dec 2015 00:36:01 +0000
From: Hugo Landau <hlandau@devever.net>
To: Niklas Keller <me@kelunik.com>
Message-ID: <20151206003601.GA32274@andover>
References: <CANUQDCjv6oVAyFNm8pQfmEzEJ+s+HsAS7OkV5H3U1X8JWHaRNA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CANUQDCjv6oVAyFNm8pQfmEzEJ+s+HsAS7OkV5H3U1X8JWHaRNA@mail.gmail.com>
User-Agent: Mutt/1.5.24 (2015-08-30)
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/6MrrRoGgysfb_fApIaJufoBV1fE>
Cc: acme@ietf.org
Subject: Re: [Acme] Authorizations and Certificates in Registrations
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 06 Dec 2015 00:36:06 -0000

On Sat, Dec 05, 2015 at 07:10:43PM +0100, Niklas Keller wrote:
>    Hello,
>    what's the reason why "authorizations" and "certificates" are optional in
>    registration objects? They should both not be optional IMO, because they
>    can be used nicely to lower the load on the CA, because clients can reuse
>    prior authorizations and even download lost certificates easily. This
>    makes also revocation easier, because you can simply list all valid
>    certificates for a given account key.
>    Regards, Niklas

Indeed. My own client keeps a note of obtained authorizations and
their expiration dates and certificate URLs.

What might be nice is a function to find valid authorizations and
certificates by hostname, so that clients can quickly look for
objects satisfying their requirements. Servers are likely to index this
sort of thing for rate limiting purposes anyway.