[Acme] Proposal: ACME Profiles

Aaron Gable <aaron@letsencrypt.org> Wed, 30 August 2023 22:21 UTC

Return-Path: <aaron@letsencrypt.org>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 409E0C1526F7 for <acme@ietfa.amsl.com>; Wed, 30 Aug 2023 15:21:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=letsencrypt.org
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id WYi6tAHHK5OE for <acme@ietfa.amsl.com>; Wed, 30 Aug 2023 15:21:43 -0700 (PDT)
Received: from mail-vk1-xa2e.google.com (mail-vk1-xa2e.google.com [IPv6:2607:f8b0:4864:20::a2e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 327BDC15257A for <acme@ietf.org>; Wed, 30 Aug 2023 15:21:43 -0700 (PDT)
Received: by mail-vk1-xa2e.google.com with SMTP id 71dfb90a1353d-48d11ae09c8so82205e0c.3 for <acme@ietf.org>; Wed, 30 Aug 2023 15:21:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=letsencrypt.org; s=google; t=1693434101; x=1694038901; darn=ietf.org; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=/43KkDEwRdREJHyFhIHbRZyvpSLpK8ktvcaOH1IbXnI=; b=ae9G9wcE5iikJT4CA04OcEAahIjUsCd97A/3/0dce5zNsf7v9EZdSchQDKQ2Dcf77f 1gJbMdxX+vqXKtOlyIit+XI9cPkZRr6042J0e6wqlBhb+ON7y2bfqwVj3aEWNnGMUTjT 8AJ9HJI23w3n/yYp5x0lQjO+ypifu7vzHrc0o=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1693434101; x=1694038901; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=/43KkDEwRdREJHyFhIHbRZyvpSLpK8ktvcaOH1IbXnI=; b=WdpOUM4uoIxc4grs+mKHHAEUZzB1Jb8jIjNaj/aurTcHESnMR0FCbtBEgqOd2tnMSe S+Pf8pL/+5tfFGcGQz+X6GuPp1RaoaeLtFocd+TQVowyyVwJSLfjBOBs0dGn6WJr99dJ /9UICLylIZozwyNuHvJsAeMYgXWmErax0VVPmtJi2IrARAgxD7mqSbkCG00L7APJBjEf B0UJOxN2sb9Rs+Z45DY4trcOnmNXfFq+sdy8UrKCWigpYqmnpGQOSuG66i1ySOnFmCY/ Lr/b/u+QmybQsphLpacCORYsKvmPYvXNTVOEHXfIZ5fDCKU0ANI6d+SxbePj+hK+4vfd nIXw==
X-Gm-Message-State: AOJu0YwttEb9+1KGYok6UM21V5qP+1e1+uDGW4VUjJGyXcwgzcd/HV7e uUeXjo24+KECI2g5D90/MQ7xCXCt/yTGQb87aCos4RjwknqlD86tQPs=
X-Google-Smtp-Source: AGHT+IEGR/xEJm87AwRS2W2hbNt0HQqufdZTbWS+5/+CG8soGI/uEljt8t2Q/Z4dphNU4cupmlTSBJ32S+NAQX98PAM=
X-Received: by 2002:a67:fc98:0:b0:447:7a6b:2c8b with SMTP id x24-20020a67fc98000000b004477a6b2c8bmr2587465vsp.30.1693434101339; Wed, 30 Aug 2023 15:21:41 -0700 (PDT)
MIME-Version: 1.0
From: Aaron Gable <aaron@letsencrypt.org>
Date: Wed, 30 Aug 2023 15:21:30 -0700
Message-ID: <CAEmnErfJvsxR15OL2BCWX5L0g-wrv5ur3xgsH7H5U5UpR7dWNg@mail.gmail.com>
To: IETF ACME <acme@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000000fbbf006042b5ac7"
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/BLVAayrTrUCegT4s2twci3Q2BY8>
Subject: [Acme] Proposal: ACME Profiles
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Aug 2023 22:21:47 -0000

Hi ACME community,

I believe it is time for us to seriously consider the topic of “profiles”.

For the purposes of this discussion, a profile is a collection of
characteristics which affect the contents of the final certificate issued
by an ACME CA. For example, two different profiles might cause certificates
to have different validity periods (e.g. 10 days vs 90 days), or different
EKUs (e.g. ServerAuth and ClientAuth vs ServerAuth only), or even be issued
from different intermediates.

Historically, profile selection within ACME has been somewhat ad-hoc:


   The NewOrder request contains “notBefore” and “notAfter” fields which
   allow clients to request certain validity periods, but other aspects of the
   certificate cannot be customized and support for these fields is minimal.
   Let’s Encrypt rejects requests which contain these fields, and Google Trust
   Services recommends that they be omitted, because clients are likely to
   request values which the server cannot respect (e.g. notBefore dates
   unacceptably far in the past, violating BRs requirements regarding

   The CSR contained in the Finalize request message can carry additional
   information, but copying values directly from CSRs to final certificates
   has been the root cause of many CA incidents, so great care must be taken.
   Let’s Encrypt does use the presence of the “ocspMustStaple” extension in
   the CSR to cause the inclusion of the same extension in the final
   certificate, but this is the only attribute we extract from the CSR and
   frankly we’d rather not even do that much.

   I’m aware of one CA which uses url query parameters to control aspects
   of the certificate profile. The client specifies query parameters in its
   configured directory URL, the directory object reflects those same
   parameters back in its newOrder URL, and then the newOrder endpoint
   processes those query parameters to affect the certificate profile.

Recently there has been an uptick in interest in profile selection in ACME.
For example, the recent PQC negotiation thread
is largely an exercise in profile selection. There’s also been significant
on the Let’s Encrypt community forum, largely prompted by the desire for
more control in intermediate selection. Let’s Encrypt itself is interested
in formalizing profile selection so that we can make backwards-incompatible
changes to our current issuance profile without breaking clients. And of
course I’ve spoken with other CAs who are interested in the same.

Therefore I believe it is time for ACME to grow support for some form of
profile selection. As argued above, I don’t think that the Finalize CSR is
a good format for this, so something will need to be added to the ACME
protocol itself. I propose the following very simple change:

1. The directory’s meta object gains a new “profiles” sub-object, whose
keys are short profile name strings (such as “default” or “rsa 2023”) and
whose values are human-readable descriptions of those profiles (such as
“our standard profile, but with a validity period of only 10 days” or a URL
pointing at more verbose documentation).

2. The Order object gains a new “profile” field, which can be set in
NewOrder requests, or will be set automatically by the Server according to
its own server policy if no recognized profile is requested.

In some of the discussions mentioned above, much more complex systems have
been proposed. These systems would establish a format for a CA to advertise
every individual adjustable field and all values each field can take.
Clients would then have the ability to both tightly customize the
certificate they request, and to compare the offerings of multiple CAs to
select the one that most closely matches their operator’s preferences.
However, I believe that such a complex system would ultimately be largely a
failure, as most operators would not have complex desires to express, most
clients would not implement complex configuration mechanisms to allow
operators to do so, most CAs would not advertise directly-comparable sets
of attributes, and if we attempted to standardize the set of advertisable
attributes we would inevitably fail to anticipate actual needs.
Additionally, we’ve seen from TLS algorithm negotiation itself that it is
better to offer a few well-studied options than to allow (poorly configured
or misinformed) clients to pick-and-choose from a wide variety of options.

Therefore I believe that this simple approach is best. It will be easy for
both clients and servers to adopt. It will allow CAs to offer well-vetted
profiles for clients who need specific attributes. And it will allow CAs to
preview upcoming profile changes to clients that want to opt in and to
gracefully evolve profiles over time.

We are already working on a draft which formalizes the proposal above, and
hope to implement a version of this in the near future to facilitate the
evolution of our own issuance profile. We’d love to hear all of your
thoughts before we embark down this path!