Re: [Acme] Authorizations and Certificates in Registrations

Jacob Hoffman-Andrews <jsha@eff.org> Sat, 05 December 2015 19:38 UTC

Return-Path: <jsha@eff.org>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C48EA1A8AE4 for <acme@ietfa.amsl.com>; Sat, 5 Dec 2015 11:38:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.012
X-Spam-Level:
X-Spam-Status: No, score=-5.012 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, J_CHICKENPOX_34=0.6, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id P01x1R_tumhd for <acme@ietfa.amsl.com>; Sat, 5 Dec 2015 11:38:39 -0800 (PST)
Received: from mail2.eff.org (mail2.eff.org [173.239.79.204]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F3EFA1A8AE3 for <acme@ietf.org>; Sat, 5 Dec 2015 11:38:38 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=eff.org; s=mail2; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:MIME-Version:Date:Message-ID:From:References:To:Subject; bh=/bKvBoalRFAHVJ5r7PdibvXFlc+KpiwyxKaXPI/zZqQ=; b=AGRNTMow9vTeldrUB1CdwQ2aZ+c98URvMSS+qscwEoSviUuQn34EELr/AhGjl50OxrLtKXax/jarmeGUi+4dH2zVL24QrrB7Y1Ko4qfMvlUOJckmURacRFAfwdDQ/mZoqWXcc9gvljydrnxsPndDtzOyuu55Ae1fvEueGnXsYY4=;
Received: ; Sat, 05 Dec 2015 11:38:39 -0800
To: Niklas Keller <me@kelunik.com>, IETF ACME <acme@ietf.org>
References: <CANUQDCjv6oVAyFNm8pQfmEzEJ+s+HsAS7OkV5H3U1X8JWHaRNA@mail.gmail.com>
From: Jacob Hoffman-Andrews <jsha@eff.org>
Message-ID: <56633D3D.5060203@eff.org>
Date: Sat, 5 Dec 2015 11:38:37 -0800
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0
MIME-Version: 1.0
In-Reply-To: <CANUQDCjv6oVAyFNm8pQfmEzEJ+s+HsAS7OkV5H3U1X8JWHaRNA@mail.gmail.com>
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/JNhsZoWFCYKHzgjqSj6X1Ti_9_k>
Subject: Re: [Acme] Authorizations and Certificates in Registrations
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 05 Dec 2015 19:38:40 -0000

> what's the reason why "authorizations" and "certificates" are optional
in registration objects? They should both not be optional IMO, because
they can be used nicely to lower the load on the CA, because clients can
reuse prior authorizations and even download lost certificates easily.
This makes also revocation easier, because you can simply list all valid
certificates for a given account key.

This is a good question. I would support making it mandatory in the
protocol. We haven't yet implemented it in Let's Encrypt, but it's on
the roadmap and it's an important feature.

Speaking of which, I've been meaning to suggest a fix to this feature.
Right now it specifies a list to be embedded in the new-reg object. It's
likely that some registrations will have very large lists of
authorizations and/certificates, making them prohibitive to embed
directly in the registration.

Instead, I propose that there be a URL for authorizations and a URL for
certificates for each registration. These URLs would return a JSON list
of URLs for the relevant objects, and possibly a Link header with
rel=next for pagination if the number of results is above a
(server-configured) threshold. Pagination is a very common approach to
large data sets in web services.