[Acme] Revisiting Proactive Issuance & new-order CSR
Daniel McCarney <cpu@letsencrypt.org> Tue, 19 September 2017 19:26 UTC
Return-Path: <dmccarney@letsencrypt.org>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 805CC134376 for <acme@ietfa.amsl.com>; Tue, 19 Sep 2017 12:26:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=letsencrypt.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IEkb-xjqQW_p for <acme@ietfa.amsl.com>; Tue, 19 Sep 2017 12:26:02 -0700 (PDT)
Received: from mail-it0-x231.google.com (mail-it0-x231.google.com [IPv6:2607:f8b0:4001:c0b::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 59EE2134373 for <acme@ietf.org>; Tue, 19 Sep 2017 12:26:02 -0700 (PDT)
Received: by mail-it0-x231.google.com with SMTP id 85so726302ith.2 for <acme@ietf.org>; Tue, 19 Sep 2017 12:26:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=letsencrypt.org; s=google; h=mime-version:reply-to:from:date:message-id:subject:to; bh=Tvlctq+KuF+Q31Q1AlVCvXuJWZW8gKf5EbOaEa21BTs=; b=dejxEGyi7EkfoBYdXOXZVC9ccg3knB8H1EddAZ3HmsH5CG2F43yMe8ZzxKynDRl5uu LlUjdXTSQEXP6mJ0XukDw7xjzX1beQrHjflAOSckclckMOazuIdj9y6fw4ApCGOyVKzy LTkLkKmgo5XivO5EbiQP+Shr8gDSqsGiMaLTY=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:reply-to:from:date:message-id :subject:to; bh=Tvlctq+KuF+Q31Q1AlVCvXuJWZW8gKf5EbOaEa21BTs=; b=MnJbC3CZGrF9KpgHiaRjx/T3C0FYfhG4RqmZxUCOfDpNl8SCB6RGeVzHDbzBxmRtre hYVAnvdWfoMKlSWVYtUjQKZB9gLG6zZSWjHkQHMTX7viOSV/Ypp6reeRYRvXJ8aqSKNx k0rUlADj3gddh0dJrrIdJ9ns94BvGZi6ZwHykjy2Nmit7Enx57kOU+NXv1eAnukcPuQj WrTkGHeb8I9pw7xxpLa5jhE2usp2SgKHhkSr1pS0di6oMULFAo220OEg9KW1Bjrm2elg DiTCxLfeA3z29/vWZvJnx/fymGWiAfdFbcB7nyewSQcFeY7vH3/RuzCSzsIiJiQji8vN Ju3A==
X-Gm-Message-State: AHPjjUiQJvtj9kR6HRzR9LW1oVblhuOzrGCoKkZWpty89GXa1e4VpTjy xb1oeo9wBtqpKAysPUcQ+anCiyOhwIcxz6DsJPs8vNNQp40=
X-Google-Smtp-Source: AOwi7QDuxSFV2+eQh2pl18gLC7KTE/6biqDvp37Lr+YqwtHSM+Z1q2jZmF5Z5fQW3ZmmJYuaJhaG2v3ooek+hbTferI=
X-Received: by 10.36.39.142 with SMTP id g136mr3508272ita.73.1505849161041; Tue, 19 Sep 2017 12:26:01 -0700 (PDT)
MIME-Version: 1.0
Reply-To: cpu@letsencrypt.org
Received: by 10.107.17.229 with HTTP; Tue, 19 Sep 2017 12:26:00 -0700 (PDT)
From: Daniel McCarney <cpu@letsencrypt.org>
Date: Tue, 19 Sep 2017 15:26:00 -0400
Message-ID: <CAKnbcLi20Z1pQ7-V3AfJ-97ULJOy5r0BFCUMnzUawS__m7q2zw@mail.gmail.com>
To: IETF ACME <acme@ietf.org>
Content-Type: multipart/alternative; boundary="001a1147cc665461a805598fd4de"
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/DIjJEB06J5cFyuOlGPVcY2I51vg>
Subject: [Acme] Revisiting Proactive Issuance & new-order CSR
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Sep 2017 19:26:05 -0000
Hi folks, Just over a year ago in a thread titled "Proactive vs On-Finalization Certificate Issuance"[0] we reached the consensus on the question of whether to issue a certificate "on-finalization" or "proactively" with the conclusion to standardize on proactive issuance. Implementation experience shows that proactive issuance is slow in practice. An order can be associated with many authorizations and an authorization can be associated with many orders. This interacts poorly with optimizations Let's Encrypt has developed from in-the-field experience with ACME and it is difficult to rate-limit effectively. I propose that we return to the on-finalization style approach and that we provide the CSR during finalization.. ## Issues with proactive issuance ### Authorization Reuse Proactive issuance requires that when an authorization is switched to a valid state by the result of a challenge update that we find the associated orders and iterate each order's authorizations to see if all of the authorizations are valid and issuance can occur. Let's Encrypt reuses existing authorizations[1][2] whenever possible, as encouraged by ACME. This has been of huge value in reducing resource consumption (both in terms of database storage and challenge/API requests). Many clients create pending authorizations they do not finalize and similarly re-create pending authorizations for identifiers that the account already has valid authorizations for. Unchecked this leads to significant database growth and resource consumption, even with aggressive rate-limits[3]. The combination of authorization reuse and proactive issuance means a given authorization can be associated with many orders. This necessitates an expensive many-to-many query at each authorization update to see if any associated orders are now complete. One possible workaround is a rate-limit that would constrain the number of orders an authorization can be associated with. However establishing the value of the limit to both reduce server-side load & also effectively support Let's Encrypt's large-volume integrators and their issuance patterns is challenging. ### CSR-first new-order flow To support proactive issuance the CA also needs to have the CSR for the order at-hand when checking each authorization in case issuance can proceed. The `new-order` request that creates the order therefore carries the full CSR that was previously delivered by the "certificate finalize" message. We see users create many more authorizations than they are able to finalize successfully. With the legacy "new-cert" flow our authorization reuse dramatically helped reduce the DB space used up by authorizations that will never lead to issuance because no CSR is stored until all identifiers are validated. With the new-order flow we have to accept and store a full CSR before handing back authorizations to the client. Reuse of authorizations does not prevent the DB bloat that will occur from users submitting new order requests and not fulfilling them. The CSR contains a full public key and is one of the single largest contributors to DB disk space usage. Addressing this will require another strict rate limit on outstanding new-orders and is again difficult to “dial-in” in to both prevent excessive resource consumption and also maintain the ability for big integrators to process large-scale issuance using our API. # Proposed Change I believe we should change the `new-order` endpoint to not accept a full CSR but to instead accept a list of identifiers that the ACME client wishes to authenticate & issue for. Authorizations can be created and returned for those domains as happens today. The order resource should be changed to have a “finalizeURL” field which provides the client a URL to POST a CSR to indicate that the CA should issue the certificate. Proactive issuance should be removed outright. This will address both the problem of scanning existing many-to-many orders & their authorizations as well as the db bloat that will occur from front-loading the delivery of the CSR. It may be tempting to leave proactive issuance as an optional feature but this will require maintaining the CSR in the new-order and I also believe that having two very distinct methods of issuance will complicate the client ecosystem and returns us to the question of how to determine which will occur that spawned the original "Proactive vs On-finalization Certificate Issuance" thread[0]. [0] https://mailarchive.ietf.org/arch/msg/acme/0lVmGl8e-rmSH0x7ycDW5dj6GAY [1] https://community.letsencrypt.org/t/upcoming-api-changes/17947 [2] https://community.letsencrypt.org/t/automatic-recycling-of-pending-authorizations/41321 [3] https://letsencrypt.org/docs/rate-limits/
- Re: [Acme] Revisiting Proactive Issuance & new-or… Daniel McCarney
- [Acme] Revisiting Proactive Issuance & new-order … Daniel McCarney
- Re: [Acme] Revisiting Proactive Issuance & new-or… Logan Widick
- Re: [Acme] Revisiting Proactive Issuance & new-or… Ilari Liusvaara
- Re: [Acme] Revisiting Proactive Issuance & new-or… Jacob Hoffman-Andrews
- Re: [Acme] Revisiting Proactive Issuance & new-or… Richard Barnes
- Re: [Acme] Revisiting Proactive Issuance & new-or… Richard Barnes
- Re: [Acme] Revisiting Proactive Issuance & new-or… Andrew Ayer
- Re: [Acme] Revisiting Proactive Issuance & new-or… Salz, Rich
- Re: [Acme] Revisiting Proactive Issuance & new-or… Martin Thomson
- Re: [Acme] Revisiting Proactive Issuance & new-or… Daniel McCarney
- Re: [Acme] Revisiting Proactive Issuance & new-or… Roland Bracewell Shoemaker
- Re: [Acme] Revisiting Proactive Issuance & new-or… Daniel McCarney
- Re: [Acme] Revisiting Proactive Issuance & new-or… Hugo Landau
- Re: [Acme] Revisiting Proactive Issuance & new-or… Ilari Liusvaara
- Re: [Acme] Revisiting Proactive Issuance & new-or… Ilari Liusvaara
- Re: [Acme] Revisiting Proactive Issuance & new-or… Daniel McCarney
- Re: [Acme] Revisiting Proactive Issuance & new-or… Daniel McCarney
- Re: [Acme] Revisiting Proactive Issuance & new-or… Richard Barnes
- Re: [Acme] Revisiting Proactive Issuance & new-or… Daniel McCarney
- Re: [Acme] Revisiting Proactive Issuance & new-or… Richard Barnes
- Re: [Acme] Revisiting Proactive Issuance & new-or… Brad Warren
- Re: [Acme] Revisiting Proactive Issuance & new-or… Richard Barnes
- Re: [Acme] Revisiting Proactive Issuance & new-or… Daniel McCarney
- Re: [Acme] Revisiting Proactive Issuance & new-or… Richard Barnes
- Re: [Acme] Revisiting Proactive Issuance & new-or… Daniel McCarney
- Re: [Acme] Revisiting Proactive Issuance & new-or… Eric Rescorla
- Re: [Acme] Revisiting Proactive Issuance & new-or… Ilari Liusvaara
- Re: [Acme] Revisiting Proactive Issuance & new-or… Daniel McCarney
- Re: [Acme] Revisiting Proactive Issuance & new-or… Richard Barnes
- Re: [Acme] Revisiting Proactive Issuance & new-or… Daniel McCarney
- Re: [Acme] Revisiting Proactive Issuance & new-or… Ilari Liusvaara
- Re: [Acme] Revisiting Proactive Issuance & new-or… Daniel McCarney
- Re: [Acme] Revisiting Proactive Issuance & new-or… Andriy Mahats
- Re: [Acme] Revisiting Proactive Issuance & new-or… Jacob Hoffman-Andrews