IETF Logo Mail Archive

[Acme] Renewal Information extension: Proposal to add an Explanation URL

"J.C. Jones" <ietf@insufficient.coffee> Thu, 10 February 2022 04:31 UTC

Return-Path: <ietf@insufficient.coffee>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2EC6F3A13EE for <acme@ietfa.amsl.com>; Wed, 9 Feb 2022 20:31:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=insufficient.coffee
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qNRH8TdfamoS for <acme@ietfa.amsl.com>; Wed, 9 Feb 2022 20:31:36 -0800 (PST)
Received: from black.elm.relay.mailchannels.net (black.elm.relay.mailchannels.net [23.83.212.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 45A353A13EB for <acme@ietf.org>; Wed, 9 Feb 2022 20:31:36 -0800 (PST)
X-Sender-Id: dreamhost|x-authsender|ietf@insufficient.coffee
Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id 617F74619DE for <acme@ietf.org>; Thu, 10 Feb 2022 04:31:35 +0000 (UTC)
Received: from pdx1-sub0-mail-a233.dreamhost.com (unknown [127.0.0.6]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id 108BA461540 for <acme@ietf.org>; Thu, 10 Feb 2022 04:31:35 +0000 (UTC)
X-Sender-Id: dreamhost|x-authsender|ietf@insufficient.coffee
Received: from pdx1-sub0-mail-a233.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384) by 100.124.31.106 (trex/6.4.3); Thu, 10 Feb 2022 04:31:35 +0000
X-MC-Relay: Neutral
X-MailChannels-SenderId: dreamhost|x-authsender|ietf@insufficient.coffee
X-MailChannels-Auth-Id: dreamhost
X-Well-Made-Society: 716782737569ecff_1644467495279_1365245041
X-MC-Loop-Signature: 1644467495279:1530762856
X-MC-Ingress-Time: 1644467495279
Received: from mail-oi1-f177.google.com (mail-oi1-f177.google.com [209.85.167.177]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: ietf@insufficient.coffee) by pdx1-sub0-mail-a233.dreamhost.com (Postfix) with ESMTPSA id 4JvP2t6RrPz1ST for <acme@ietf.org>; Wed, 9 Feb 2022 20:31:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=insufficient.coffee; s=insufficient.coffee; t=1644467494; bh=VDy3BOr5QA7gqw38VFZ2NEFJlt8=; h=From:Date:Subject:To:Content-Type; b=wylhAruAJiiyXQeZJIFp3SSjOwFWCsR0MrWOU0CgjnBSbpTRLuvL6/Krw+BDJa9qs bIjDjtBcBXMBdOK3XK2pG0uyXsM2d1WpX28ikGq3YijA+u8lRN06UdKTkD2HSASraU ZMt95adfEUpIsYklqNn9bWqkXGF5nPIDjqGve+So=
Received: by mail-oi1-f177.google.com with SMTP id v67so4713360oie.9 for <acme@ietf.org>; Wed, 09 Feb 2022 20:31:34 -0800 (PST)
X-Gm-Message-State: AOAM531VwNW7s5h2mNJTDZiZwbAD98Qcd+CKBTjcBXP+xUq56T5BwhDP dhMq5CObmEu3wxuYPeOvLbZqQDaWffdj7usZciI=
X-Google-Smtp-Source: ABdhPJwMUvMST6UryCh8vvjXpM3/pkuLn8W9jgOJTpGjQlDNr+vP4hxiHKs3DmE5Ax0bCuH4lrQuQbbtPoiZ40iqc4w=
X-Received: by 2002:a05:6808:1413:: with SMTP id w19mr312421oiv.176.1644467494244; Wed, 09 Feb 2022 20:31:34 -0800 (PST)
MIME-Version: 1.0
From: "J.C. Jones" <ietf@insufficient.coffee>
Date: Wed, 09 Feb 2022 21:31:08 -0700
X-Gmail-Original-Message-ID: <CALrMbp_M74q=WE02vuF6Ey+YMe_E1VOmN9yHS4AdxwUPpX=y1w@mail.gmail.com>
Message-ID: <CALrMbp_M74q=WE02vuF6Ey+YMe_E1VOmN9yHS4AdxwUPpX=y1w@mail.gmail.com>
To: acme@ietf.org
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/GFDPNv_aYUz1lp_xSMId9HOG9v8>
Subject: [Acme] Renewal Information extension: Proposal to add an Explanation URL
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Feb 2022 04:37:52 -0000

While ARI is clearly intended for automated usage, its ease of
construction permits interested third parties with knowledge of a
certificate to request the ARI information as well as the
certificate's subscriber. This is a feature, not a bug, as it permits
another useful use case:

Imagine a certificate lifecycle tool that monitors many TLS endpoints
for certificate lifetime and status. Such a tool could naturally also
query the ARI endpoint for each compatible certificate, as a means of
determining certificate lifetime in the face of pending revocation.

When the tool notices via ARI that a certificate should be renewed
early, that's probably going to generate alerts -- and it would be
valuable to those receiving an alert for a certificate that suddenly
needs renewal to have some context as to why, if it's possible.

Hence, I propose we add an optional field to the ARI response
structure, "explanationURL", which when populated should be presented
in any user-visible context (logging, alerting, etc) by the
ARI-compatible client. It would be up to the Certificate Authority to
ensure the URL presented appropriately translated information for the
operator, and the CA _should_ only provide the field if there was
something exceptional that warranted additional explanation or
context.

J.C.

v2.23.0 | Report a Bug | By Email