Re: [Acme] ARI: Indication if certificate will be revoked
Corey Bonnell <Corey.Bonnell@digicert.com> Sun, 26 March 2023 22:03 UTC
Return-Path: <Corey.Bonnell@digicert.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 237E1C14EB17 for <acme@ietfa.amsl.com>; Sun, 26 Mar 2023 15:03:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=digicert.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AJlovnghCSNy for <acme@ietfa.amsl.com>; Sun, 26 Mar 2023 15:03:48 -0700 (PDT)
Received: from NAM04-DM6-obe.outbound.protection.outlook.com (mail-dm6nam04on20730.outbound.protection.outlook.com [IPv6:2a01:111:f400:7e8b::730]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6C32DC14CEFD for <acme@ietf.org>; Sun, 26 Mar 2023 15:03:48 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=cQtwaiiIm0EGMxHkBTGVdydl9CfTKkakXXuSVL0O6f58OiiZlF2r3343++/Habj7sd0P3nNm/VZXuJ1O6hZ93P8HPSeByW2ub5PcCL/ls3khwoCg/bxxhx27aLH92520/aCQVvuwHB5tUs4DBfJv89oD+6IVjNtJzpFxhMIYQ5Ub4Pt/2CRGsV2x1+DGm5FcaPuD7W6dJzfyVSP8BIprYIJv4Izsc8DHDqQzqlfIIhKs9QYnFuxn/6TYDT0h1a0dY6+3QFTl3OGl2jCiHpmYiFtzmXN7AMUZX9Mj4QqJ+arWqP0kGc5watGJmlH7Z0OjMuY9PmpEpvlCp1GJn9vL1A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=D+rBRiwvqIt+Jhrq6FSfm8d4SD0uwHvZQMRui88L3wg=; b=gPtsHzPLD9jaYZVCa7rOzzocLXhK0EdIWFoZPLU7HFdE87eJlZR4H5LTE8oNSE0mbnuCGPNcz6k8V8BsQZEI0Jc4c8fdMMYNOi7gzxmsLOPxNMP/3Z59oXvWDZaBjLu9o2eyOk5o29L7ReWVw0DHrqcoLxVMnB8fszdQtA96yM7cD6sp93pcSsgXm8Qyv+ijRQ550Q83Uun4dzFf223MSz9jWBboeyy54pATLj3NqodR/oxyxKeFcN7rw128OW4zyEx5Z/gJwSrMAwA2QD012djmpkv0gbACU9BIMLdYxEMeKH60+oFwnYVNUU2gXwwWfGrNrRCUmA/kRCFdV+ak+w==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=digicert.com; dmarc=pass action=none header.from=digicert.com; dkim=pass header.d=digicert.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digicert.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=D+rBRiwvqIt+Jhrq6FSfm8d4SD0uwHvZQMRui88L3wg=; b=Z2DhKKBUBSgAs/XneLZT3UhIDNLqN6I0uKpDY48x/xtB9Avyd4PE+TAc599cNvlmmkbcn/kxENCZxgzCTjMWAv983ylT3L/fBoPC1QKPG/GLaxHSfnPTTIbqWJ7ysCiSxH1uNxEGubqtMxr81e8DmHEDwQn0zHc/Bt8miqA+NrHEwHZNQBr1affe7u8DgccbmEKQO7nWGecSELOdlL6hnuG4wwL3eRbjtyrVQnjcL6xrEpK3LCxvxeR5oUcCWu6TLCtud7yeAY3jdJgFBNgHj406xJKRtxhQfwnMi47riE5QQIlqrRkHiMoPAldESYsbPVfIYKULU4IRMsU600UvcQ==
Received: from DM6PR14MB2186.namprd14.prod.outlook.com (2603:10b6:5:b6::16) by CH3PR14MB6937.namprd14.prod.outlook.com (2603:10b6:610:130::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6222.28; Sun, 26 Mar 2023 22:03:42 +0000
Received: from DM6PR14MB2186.namprd14.prod.outlook.com ([fe80::690a:c354:fd5:aad5]) by DM6PR14MB2186.namprd14.prod.outlook.com ([fe80::690a:c354:fd5:aad5%6]) with mapi id 15.20.6178.041; Sun, 26 Mar 2023 22:03:42 +0000
From: Corey Bonnell <Corey.Bonnell@digicert.com>
To: Andrew Ayer <agwa@andrewayer.name>, Corey Bonnell <Corey.Bonnell=40digicert.com@dmarc.ietf.org>
CC: "acme@ietf.org" <acme@ietf.org>
Thread-Topic: [Acme] ARI: Indication if certificate will be revoked
Thread-Index: AQHZXMuhKQnI+w7Iz0yzU/B+rYwgz68HEINwgAAwKACABmCc4A==
Date: Sun, 26 Mar 2023 22:03:41 +0000
Message-ID: <DM6PR14MB2186D38E464FA5E86C9ACFFA928A9@DM6PR14MB2186.namprd14.prod.outlook.com>
References: <20230322103538.975d953c92be1463f2347a4e@andrewayer.name> <DM6PR14MB2186F5867BDDAB1394F2A23492869@DM6PR14MB2186.namprd14.prod.outlook.com> <20230322163024.d6274767c10df709d7293171@andrewayer.name>
In-Reply-To: <20230322163024.d6274767c10df709d7293171@andrewayer.name>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=digicert.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: DM6PR14MB2186:EE_|CH3PR14MB6937:EE_
x-ms-office365-filtering-correlation-id: b52d1e4f-14e6-4a49-06a3-08db2e45f61e
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: sC5cHLpuuK6D0QvAoEQmtZExwOslmJ4spFjGuS9mJM3friDnbjRb1zldNZhz2A9ReLow1/o06AQi6Z+noHS2To7Iy5NZIIzPnRuHZWKx8mO0ixeI+FvJrgmRvDZV/gLw+LsAGC2JVzJKuIDI+Jj1vs2qivYPcOmb8Sj29yO0ZgWBnzEuCx86Cch7jtofBNHdevXMWKO4XV7Zyw6CHzvjdwMhsmIt6HxhnWQqJZyY8t0oOfBY/MvWsQaTkpxvc/t7NxONSclSFo+ORTer9rMmeCxjo6leeWEe5PW7K53/YmoBzUr9fETjieH8oh9LzPo/4fvwQSkDaNf2JeALstH9UR9NW/o8YeHPvnrsgIzr42MPXpq7KHO8ZdA8jrdW0cqIvLHGcjpgL/+PE5/yS4Zyyim8Z1aL3MSQI3u6FVISTwzOW6fwWV9anTd0myZGPuBlUWkQ8ovHZbGOsSf1HahBY07bxFTSapm3iM+iOgd90jn1CHN0tU2re6sAXMf/doFGY4Vv1mCjy1LjCbicmYoF1oD4gMDIkuhjaZ1RQMDWa1YmzblBtM8S5gcdVyDWO0dx5qBS4RUi6Lk1fwYjosUf4luw/tCTHzsqOlxfxCD5qn4=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM6PR14MB2186.namprd14.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230028)(4636009)(376002)(136003)(39850400004)(366004)(396003)(346002)(451199021)(83380400001)(76116006)(4326008)(66446008)(66476007)(66946007)(66556008)(64756008)(8676002)(966005)(7696005)(71200400001)(478600001)(53546011)(9686003)(26005)(186003)(6506007)(110136005)(316002)(55016003)(38070700005)(2906002)(33656002)(86362001)(41300700001)(52536014)(38100700002)(5660300002)(122000001)(8936002)(99936003); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 7qIPiLy+M4o4+KulZM38kshUaLsubUwg865AVmst5OnmAKVyZm7P4iD05luZl58hI/aU93nvkQcMVvnT1rh6dAOgIUpbKtLq2gLv87mDfefJ+Dxyx5hqEqiabNUrRMlF342n0MK/v/UOHCzLDIu2aGZVoulGq5+VuISysMZljUnQZtRhcs6DQuenxbOpIfepBaNFZTFh1/GamvN1qWpyb8Ubu5XotNAhVro7Pr2laX6lY9q7TGeI5/Bp96cXDvfPeZZOJw+6H8WfaT0410hW7kb/5fqeMvUMnh9cuSj/Ggcz2NPTVFrbuDsiAQuM2i5jrY1O+Ahby7jOAmVTRNYO9mqDWscT+5jUzMGEiBjYi3YU503wBD3LwpybJt6VTUijGOAq52BbQodlbGDSk2ZKgh3pH43srfC6Am07iM3vhZ/8mXfcu8tmKkaSUTN0rpqV0g3x/MFw4Sz+E36qo8KZvjXNps3YK/1Nrig2qUtIxIgQ7vEBoCyGhwjZFE26EZ4J5ma8qlezpba34/VYyijeYh160CoRIlJiFreBGkqBn7r+LPvbD7h38iuvDFpwCJCyiz6NN/IH+E5lwvLXF6pdjHAcYfewNmX+sAx9KaoSBIDnmUxgmlow1OGJg5LKj9YeUsTEZLDnw8GYv+c2eu1zBGlsPY3Ezhe3JH74wYLTEXRtI5wzgsidOuBlbs1dxCGRwCRw3UYVKSDq1s4P8fHll3xBN33Mh/I3m3wuVrtYLz9l8H1J8ZraX+XZkLcVxel6djTn4f/aQ/2YmtjNQGJlpSyEXBu1lC7d91/lKIvgnMFI9JZ7aZ+KSETKlYtZRJyADnL30oR1/gLF5r9RCt6bv/e8dtW1pj4tFItSWjGCUxYLcuIhWzHbsl3c7uBurzvStE8tUmzf9Cdk7iSgzQ9Op93r3hts0XpMXbB6dXUAHxeFG2QmPplI5cI2Yg/T1+6OQX6rrJ3qjSZcLsZOLSx7H4F86YqMg1VxncCiza4cL6hbU3dUAcEqyqhe3sTccsOAZAD/IKtHRb0aD5aQtrlh6F6jgifaySPsCs6pGIcCnTGN2fMG9me/6udQrN1rJsyCAqlq/AdS+lCmpoXMnXKWSv6PRK54U4WJbFxKHmcaFT84feXSAYaRpkS6N9ReUpApU+siJqOHbm5qbYjaTcA59rS8XaimmPrq4K2BoLRKjwAbQeD/5zbaUVLACN8N4Ii/WU3Yn/EmihragAnUVKbfthy6LBgye94RjtjCGAYf2LBsOWzlC9bWcUXtg8keI8YskMqspax/Esmi3owuAmpnZI1+MChpBs/FhZ4j8muZ6W8pTmwWhHjYljphbXvQbl1/lJDJniBS+K34S3LSw48FU3zvDzIgP6D1IKOU4h1mJacREx5EMaK5eIoZKNeduyEqV0f+BYq8o+9Srx5a3C/hp8W7S5cGJkalCkYhKMr/j2rb5XXDk8tlwk0ohLVlsndrb6du9v7H4lo5v3IuXhTLuBQJ4f88RKnXnxTGaOuWZLSZHpTsUlJ8ACVS+08g4lVCJqUJOLjJoBeGre77BB8DXJVRlbREOQz6AHGhniuGWd9DCA+Sq7ciZt29MwxEB1nlMNzxF1JNHjbdRlG8eRTtnw==
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="2.16.840.1.101.3.4.2.1"; boundary="----=_NextPart_000_01C5_01D9600D.4B759A20"
MIME-Version: 1.0
X-OriginatorOrg: digicert.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DM6PR14MB2186.namprd14.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: b52d1e4f-14e6-4a49-06a3-08db2e45f61e
X-MS-Exchange-CrossTenant-originalarrivaltime: 26 Mar 2023 22:03:41.9372 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: cf813fa1-bde5-4e75-9479-f6aaa8b1f284
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: AC3M+dJG8HTUUvqLBkzYdRGYgZuWAWGn1BnIyWmfDAC+Z5rJszur14kXJjjd4qJOaZQD7dGFni34xU/LkQRTaL3gHCtAmVBxvW1N8/Pj+bw=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH3PR14MB6937
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/QMZtBSaKbfun8-SXSPps0YgBnlk>
Subject: Re: [Acme] ARI: Indication if certificate will be revoked
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 26 Mar 2023 22:03:52 -0000
Hi Andrew, > That could potentially be useful. Do you have any other information in mind that would be included? My initial thoughts are that a "reason" field with a URN denoting the rationale for the specified renewal information (pending revocation, expiration, etc.) would be useful. Each reason could then have specific fields, such as "anticipatedRevocationDateTime" for the revocation case, or even the anticipated RFC5280 revocation reason code. The "explanationURL" could also be moved to this structure as opposed to being a top-level field, as it is metadata-only. Even if only a few fields are defined within this metadata-only sub-structure, I think there's value in putting all metadata-only information within this sub-structure to avoid polluting the top-level namespace if additional fields are needed in the future. Thanks, Corey -----Original Message----- From: Acme <acme-bounces@ietf.org> On Behalf Of Andrew Ayer Sent: Wednesday, March 22, 2023 4:30 PM To: Corey Bonnell <Corey.Bonnell=40digicert.com@dmarc.ietf.org> Cc: acme@ietf.org Subject: Re: [Acme] ARI: Indication if certificate will be revoked Hi Corey, On Wed, 22 Mar 2023 17:55:59 +0000 Corey Bonnell <Corey.Bonnell=40digicert.com@dmarc.ietf.org> wrote: > Hi Andrew, > Is the purpose of the "revocationTime" field such that ACME client > behavior would be different than the recommended replacement > time-selection algorithm in section 4.1, or is it to provide richer > metadata about the pending replacement window that is potentially > human or machine-readable? It is the latter - to provide richer metadata about why the window is what it is. ACME client behavior would not be affected. > If the latter, I'm wondering if we could consider defining a RFC > 7807-style "problem document" format that would provide fuller > information that is both human- and machine-readable. The > "explanationURL" field as it currently exists in the draft might be > useful for conveying human-readable information, but defining a fuller > representation of replacement-related metadata would also allow > machine-readable information to be conveyed. That could potentially be useful. Do you have any other information in mind that would be included? Regards, Andrew _______________________________________________ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme
- [Acme] ARI: Indication if certificate will be rev… Andrew Ayer
- Re: [Acme] ARI: Indication if certificate will be… Seo Suchan
- Re: [Acme] ARI: Indication if certificate will be… Amir Omidi
- Re: [Acme] ARI: Indication if certificate will be… Corey Bonnell
- Re: [Acme] ARI: Indication if certificate will be… Andrew Ayer
- Re: [Acme] ARI: Indication if certificate will be… Andrew Ayer
- Re: [Acme] ARI: Indication if certificate will be… Andrew Ayer
- Re: [Acme] ARI: Indication if certificate will be… Aaron Gable
- Re: [Acme] ARI: Indication if certificate will be… Andrew Ayer
- Re: [Acme] ARI: Indication if certificate will be… J.C. Jones
- Re: [Acme] ARI: Indication if certificate will be… Corey Bonnell