Re: [Acme] Call for adoption of draft-aaron-acme-ari-02
Deb Cooley <debcooley1@gmail.com> Tue, 05 July 2022 18:14 UTC
Return-Path: <debcooley1@gmail.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8C945C13C543 for <acme@ietfa.amsl.com>; Tue, 5 Jul 2022 11:14:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.853
X-Spam-Level:
X-Spam-Status: No, score=-1.853 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 67ZLOtVI1TXb for <acme@ietfa.amsl.com>; Tue, 5 Jul 2022 11:14:47 -0700 (PDT)
Received: from mail-oa1-x33.google.com (mail-oa1-x33.google.com [IPv6:2001:4860:4864:20::33]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EF379C13C547 for <acme@ietf.org>; Tue, 5 Jul 2022 11:14:47 -0700 (PDT)
Received: by mail-oa1-x33.google.com with SMTP id 586e51a60fabf-10bec750eedso10514053fac.8 for <acme@ietf.org>; Tue, 05 Jul 2022 11:14:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=UxnkRtagf0b1FLzQ4xEPpR72A3+FJRNcaVaUSy6rjPU=; b=Z0nE2ZKqduhmsyUdGg7F+a3ndnY8Y2j/NJ+YI6hWWPiTQufR5gFfaB/wwEz5mrIZv9 lADnJaujBml3PttZby763ErrPOc+RfJlRxweLMSLsusSGbtXCUtuOKFwRerA7r4//wsz hjuqu/hlsT/YDg1K0Todbq3+jLEKGduTAdYvlFVZrWsxL9mSNVDGmMOax/rsWg8IgDEi CfMX6Na3qIB1qKiEPu/Gfv/4z49isGCZQZBBbj8I6Mo7KrENwmZkr2sM8/Y2CUjoKG2c kwUjkTjalddx3gMqLiV2UN7806ykaJfy6pvF0VN/Lh/yn2pKIunG2gximpoGY5zxQjlw kqSQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=UxnkRtagf0b1FLzQ4xEPpR72A3+FJRNcaVaUSy6rjPU=; b=NmqfW2mkWkZ8zcY6wSJ/SX+D7UBzyOM98b4DCK4462jX9qGSgoexbFcLRsxkDQ/63z XlaMMKpJsCxvkAkOTg+23X9B3pLc4j1BEdxYMGkACcjCwui5XUlCE6ctf+rMatbjyyKl F585c3Gd6MDUgxC815gw06A/evaeHldB4XsNbJLBzKon54it0NQUTbNeQfwnfadcAeop ho43E9KqEptUD4RIaAu3G9Gjppy5COe73T1BuVQb5ENNZh475fECiXYmrcgcRrjmtDCC 8nZhGgZf6GirTCSPnbXUJ9ejJ9ioB9xVDdfX3KWGhSJvossUbUsILrrJviB14NEdX0QT 4nJw==
X-Gm-Message-State: AJIora9ZTau9HBc3ZEzJbyAxB+LEkckD8yIJQxGTGk3i21KmMkqSwkfk LqtUXOyr8YbbzObFSoEqKiRy+ki+gzfhabmoMzerEOM=
X-Google-Smtp-Source: AGRyM1uzTduVlt639d60iTYWxRDgwvU4s/7ms7m+zjjHe2xyd+QcHYK1MNLlLxrv7XjjLhcilU02nYEjP2UbxvrZUrQ=
X-Received: by 2002:a05:6870:6195:b0:100:ee8a:ce86 with SMTP id a21-20020a056870619500b00100ee8ace86mr23950103oah.40.1657044886930; Tue, 05 Jul 2022 11:14:46 -0700 (PDT)
MIME-Version: 1.0
References: <CAGgd1OevCu61rbCAOv1fcB-eFoRD6CMKnj=5Qy6XVqQroakR0g@mail.gmail.com> <59df1980-2a2a-2e49-09fa-91c1fbef4563@desec.io> <CAEmnEreNCz1t-qMS3aa0n0nFwMzi4UfDsyJdGkApWdkzD=PYbQ@mail.gmail.com> <58fb7fd0-7cb7-2d90-a333-391c1d001253@desec.io>
In-Reply-To: <58fb7fd0-7cb7-2d90-a333-391c1d001253@desec.io>
From: Deb Cooley <debcooley1@gmail.com>
Date: Tue, 05 Jul 2022 14:14:35 -0400
Message-ID: <CAGgd1Oet1+esJxxLD9xZhVO95Jm1H==vUgzHbd-jKeSYVCwiXg@mail.gmail.com>
To: IETF ACME <acme@ietf.org>
Cc: Aaron Gable <aaron=40letsencrypt.org@dmarc.ietf.org>, Dorothy E Cooley <decoole@radium.ncsc.mil>
Content-Type: multipart/alternative; boundary="000000000000dcc9d205e312d3d7"
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/FeSyaMMhm1CV1qEF6TxpnxJ-1fo>
Subject: Re: [Acme] Call for adoption of draft-aaron-acme-ari-02
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Jul 2022 18:14:51 -0000
Thanks to Rich, Melinda and Peter for voicing your opinion to adopt this draft. We would like it if a few more people would read this draft and state whether you think it should be adopted (or not). After the positive response in Vienna we were a little surprised to see so few responses here. For your ACME WG Chairs, Deb On Wed, Jun 29, 2022 at 1:24 PM Peter Thomassen <peter@desec.io> wrote: > Hi Aaron, > > On 6/18/22 01:48, Aaron Gable wrote: > > You can find prior discussion in these threads: > > - > https://mailarchive.ietf.org/arch/msg/acme/b-RddSX8TdGYvO3f9c7Lzg6I2I4/ < > https://mailarchive.ietf.org/arch/msg/acme/b-RddSX8TdGYvO3f9c7Lzg6I2I4/>, > the very original proposal, which discusses are variety of motivations and > alternate implementations > > - > https://mailarchive.ietf.org/arch/msg/acme/UMRzzS6yh-D6ViwjYt0fgx213qY/ < > https://mailarchive.ietf.org/arch/msg/acme/UMRzzS6yh-D6ViwjYt0fgx213qY/>, > my revival of the idea, which addresses some of the concerns in the > original thread > > Thank you for these pointers. > > > It's not my experience that RFCs in this space dedicate significant > space in their text to discussing alternative designs, but if others would > like to see a section like that added to the draft I'm happy to oblige. > > I don't think much argument is needed, but I think it would be helpful to > add at least one compelling use case to the introduction that hints at the > insufficiency of the obvious alternatives that would come to mind (that is, > client-side jittering). Perhaps like this (drop-in for the last paragraph): > > Being able to indicate to the client a period in which the issuing CA > suggests renewal would allow proactive smearing of load (as client-side > jittering would), but also enable dynamic changes to the certificate > validity period, such as in the event of mass-revocation of a large > number of certificates, and help restore normality after such an event > by having clients quickly redistribute from the sudden renewal spike to > a moreuniform renewal schedule. > > This document specifies a mechanism by which ACME servers may provide > suggestedrenewal windows to ACME clients. > > > Yes, of course clients could simply implement smearing on their own. But > they have little motivation to do so -- there's no standard documenting how > they should do so, and it's statistically rare that any one out of hundreds > of millions of clients is the one affected by a given load spike. They can > just retry and be fine. Having a standard for this provides a template or > framework to encourage clients to all implement this in the same way. > > I'm afraid there will be little motivation for updating legacy clients, > regardless of whether the update would bring client-side ARI support (as > documented by a standard) or client-side smearing (which could also be > standardized). > > It's the typical upgrade-with-backwards-compatibility problem: Unless ACME > servers would REQUIRE clients to support ARI (which would be a breaking > change), clients might not upgrade. If they do, chances are that they have > a proper update process, in which case they'd receive any update, > regardless of which solution is standardized. > > So, regarding client-side deployability, I think that ARI has no advantage > over client-side smearing. > > > Suppose that a CA revokes and replaces 100M certificates in a single > day. Suppose further that, as you suggest, they smear their validity > periods by 1%, meaning that clients will try to renew somewhere between 59 > and 61 days after the incident. How many renewal cycles will it take for > that 100M-cert-tall load spike to flatten back out into the whole 60 days > of smooth issuance it previously covered? > > Convinced! > > > Suppose that a CA suffers an incident and knows that they will have to > revoke and replace 100M certificates in the next 24 hours. They could > configure ARI to give all clients a renewal window in the past, encouraging > every client that checks in to immediately renew their certificate, > minimizing the real-world impact of a mass revocation event. And then they > go immediately to the case described above, to prevent additional fallout. > > That's very convincing, too. I think it would help if the intro gave a > glimpse of these use cases. > > > I hope this provides more insight into why we've gone this direction > with the design, and why the draft is important! > > Surely, thanks! I hope I did not hold up the draft with my critical > questions :-) Thank you for being open for discussion. > > I support adoption. > > Best, > Peter > > -- > https://desec.io/ >
- [Acme] Call for adoption of draft-aaron-acme-ari-… Deb Cooley
- Re: [Acme] Call for adoption of draft-aaron-acme-… Peter Thomassen
- Re: [Acme] Call for adoption of draft-aaron-acme-… Aaron Gable
- Re: [Acme] Call for adoption of draft-aaron-acme-… Melinda Shore
- Re: [Acme] Call for adoption of draft-aaron-acme-… Peter Thomassen
- Re: [Acme] Call for adoption of draft-aaron-acme-… Deb Cooley