Re: [Acme] confirming the certificate renewal in draft-aaron-acme-ari-01
Aaron Gable <aaron@letsencrypt.org> Fri, 18 March 2022 18:54 UTC
Return-Path: <aaron@letsencrypt.org>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D2CFE3A0CCA for <acme@ietfa.amsl.com>; Fri, 18 Mar 2022 11:54:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.109
X-Spam-Level:
X-Spam-Status: No, score=-2.109 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=letsencrypt.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gQtq3LxoVJXT for <acme@ietfa.amsl.com>; Fri, 18 Mar 2022 11:54:19 -0700 (PDT)
Received: from mail-vs1-xe36.google.com (mail-vs1-xe36.google.com [IPv6:2607:f8b0:4864:20::e36]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E26093A1151 for <acme@ietf.org>; Fri, 18 Mar 2022 11:54:13 -0700 (PDT)
Received: by mail-vs1-xe36.google.com with SMTP id m187so9600651vsc.12 for <acme@ietf.org>; Fri, 18 Mar 2022 11:54:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=letsencrypt.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=/StrTlLZVx+0MuceHSS0wvkYChc/wRrhLHpmOczlP1Y=; b=IjIAgId8v+6dfv/WQjO4MYGllimlqDZcLNMv9lGTJpyAROvc/pN/25upfmGWbUjxm+ CnnvP4pCPvkz6SOS1aSGl2et3e8LVk7mr++6F7cLJjqSGWMjhn986OJxqVL+0lwPa8uM dujutqaHhw5QoK5fyuIiu3yZMMuG1K/QRZrCU=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=/StrTlLZVx+0MuceHSS0wvkYChc/wRrhLHpmOczlP1Y=; b=VzQ7TiYHCDHTSvVeGfTgCXqbuN2QwlGVqPG0vyIQGp4Dh+MWYRnsazBlsK1YDLE5cI oxVEj7jY5hTMZS1naJ6Mw7LwbucgCj5TuDRbrDKja/d+VMbdRARiMK2m/+8wJVcLJWY9 nKX2fte6e3ULPkrk0FMkqw+X1m7/+3R4w1Z18l1pI9USwfnO/+gLOmArVYB/5iP9FrG+ RQxlluSAvk0KXC6PtQmyvCvxriBN0jmfCHPNXO4rMS0drTnoO97ESRFmWSdjBw/eQUeR yWACuk4XlsbuaWrksZxAURoXc4n0moUvm/WWqmBzdEgE8Lsx2RUVYCs6E/5S/DfSOIvr XCdg==
X-Gm-Message-State: AOAM533q1K4JpcwJosWSkfUCOLjmOkvmvjw98nSix9aIdqjRPcbEKxnm +NxIgWDu47u9XnQhpfvPirLPXB05cTRFK/ZkcToEVOo/zqc=
X-Google-Smtp-Source: ABdhPJzJ8DS4xwAmt5Sw08MOYSnDZUbiu7y1ueLveufody20TtaCEishzg6f37MTW918SEliySTsv4N80f7S9DMK1Ac=
X-Received: by 2002:a67:e3bb:0:b0:320:c5f7:9647 with SMTP id j27-20020a67e3bb000000b00320c5f79647mr4046175vsm.7.1647629652652; Fri, 18 Mar 2022 11:54:12 -0700 (PDT)
MIME-Version: 1.0
References: <CAEmnErdp+fpOPAqW2Oj9e1HDiioeU_pczLJ0+iBHkKBXti6-aw@mail.gmail.com> <174991.1637261030@dooku>
In-Reply-To: <174991.1637261030@dooku>
From: Aaron Gable <aaron@letsencrypt.org>
Date: Fri, 18 Mar 2022 11:54:02 -0700
Message-ID: <CAEmnErf+cX-yT7miCCF5runQ9NqW5bOzrsuz0v5xJ2=+=k9wSA@mail.gmail.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>
Cc: IETF ACME <acme@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000002b132705da82aca5"
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/6PqfhpFUGE8lVqeILlBqQHS4u8w>
Subject: Re: [Acme] confirming the certificate renewal in draft-aaron-acme-ari-01
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Mar 2022 18:54:24 -0000
Thanks for the detailed feedback, and apologies for the delayed reply! I've incorporated a specification for how clients can inform the acme server that a certificate has been renewed/replaced in the next draft of this document, and will go over this aspect in the IETF 133 session next week. Aaron On Thu, Nov 18, 2021 at 10:43 AM Michael Richardson <mcr+ietf@sandelman.ca> wrote: > > {Splitting up replies to make threads easier to deal} > > Aaron Gable <aaron=40letsencrypt.org@dmarc.ietf.org> wrote: > > 2) Considering inclusion of a "this has been renewed" callback > endpoint > > > This is tracked as > https://github.com/aarongable/draft-acme-ari/issues/15 > > > One of the motivating use-cases for this protocol extension is the > > "business continuity in spite of revocation" case: a CA that is > about to > > revoke a certificate could, the next time that cert's subscriber's > client > > polls the ARI endpoint, inform the client that it should renew right > away. > > Then the client could replace the cert as normal, and the original > could be > > revoked without any disruption to the subscriber. > > I manage LE's certificates for a few dozen machines. Not so many that it's > worth the overhead of more formal monitoring, but not so few that it's > easy. > They machines are very different in OSes and versions and whether they do > dns-01 or http-01 challenges, and so suffer from various different > failures. > > In about 2 out of 5 cases, a few weeks after the last renewal, I've > changed > something (added a new virtual host, for instance), which results in me > renewing early. Alas, LE sends me a notice of expiry based upon the > original > certificate expiry, and I make a note to check that it's really renewed, > not > remembering which is which. > > Long story: this confirmation stuff would be helpful for many situations. > > > Therefore it would be useful for the client to be able to inform the > server > > "Thanks for telling me I should renew this cert; I have no completed > that > > task to my own satisfaction", so that the server can then go ahead > and > > revoke the cert, knowing it will not cause any disruption by doing > so. > > > One idea to implement this would be for the client to POST to the > same > > resource url as it polls for renewalInfo, with the body being a > signed JWT > > containing a single "renewalComplete=true" as the body. The server > would > > only accept this if the POST were signed by the same account key as > > originally ordered the cert. > > This seems good. > When a certificate is re-issues with an expanded (or diminished) set of > SANs, > then I hope that we can use this to mark the old certificate as satisfied. > Should the CA revoke? I'm not sure if it's worth the CRL space, if CRLs > are > being used. > > -- > Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works > -= IPv6 IoT consulting =- >
- [Acme] Discussion on draft-aaron-acme-ari-01 Aaron Gable
- [Acme] how to specify desired retry window in dra… Michael Richardson
- [Acme] confirming the certificate renewal in draf… Michael Richardson
- Re: [Acme] confirming the certificate renewal in … Aaron Gable