IETF Logo Mail Archive

Re: [Acme] ARI: Indication if certificate will be revoked

Corey Bonnell <Corey.Bonnell@digicert.com> Sun, 26 March 2023 22:03 UTC

Return-Path: <Corey.Bonnell@digicert.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 237E1C14EB17 for <acme@ietfa.amsl.com>; Sun, 26 Mar 2023 15:03:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=digicert.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AJlovnghCSNy for <acme@ietfa.amsl.com>; Sun, 26 Mar 2023 15:03:48 -0700 (PDT)
Received: from NAM04-DM6-obe.outbound.protection.outlook.com (mail-dm6nam04on20730.outbound.protection.outlook.com [IPv6:2a01:111:f400:7e8b::730]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6C32DC14CEFD for <acme@ietf.org>; Sun, 26 Mar 2023 15:03:48 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=cQtwaiiIm0EGMxHkBTGVdydl9CfTKkakXXuSVL0O6f58OiiZlF2r3343++/Habj7sd0P3nNm/VZXuJ1O6hZ93P8HPSeByW2ub5PcCL/ls3khwoCg/bxxhx27aLH92520/aCQVvuwHB5tUs4DBfJv89oD+6IVjNtJzpFxhMIYQ5Ub4Pt/2CRGsV2x1+DGm5FcaPuD7W6dJzfyVSP8BIprYIJv4Izsc8DHDqQzqlfIIhKs9QYnFuxn/6TYDT0h1a0dY6+3QFTl3OGl2jCiHpmYiFtzmXN7AMUZX9Mj4QqJ+arWqP0kGc5watGJmlH7Z0OjMuY9PmpEpvlCp1GJn9vL1A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=D+rBRiwvqIt+Jhrq6FSfm8d4SD0uwHvZQMRui88L3wg=; b=gPtsHzPLD9jaYZVCa7rOzzocLXhK0EdIWFoZPLU7HFdE87eJlZR4H5LTE8oNSE0mbnuCGPNcz6k8V8BsQZEI0Jc4c8fdMMYNOi7gzxmsLOPxNMP/3Z59oXvWDZaBjLu9o2eyOk5o29L7ReWVw0DHrqcoLxVMnB8fszdQtA96yM7cD6sp93pcSsgXm8Qyv+ijRQ550Q83Uun4dzFf223MSz9jWBboeyy54pATLj3NqodR/oxyxKeFcN7rw128OW4zyEx5Z/gJwSrMAwA2QD012djmpkv0gbACU9BIMLdYxEMeKH60+oFwnYVNUU2gXwwWfGrNrRCUmA/kRCFdV+ak+w==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=digicert.com; dmarc=pass action=none header.from=digicert.com; dkim=pass header.d=digicert.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digicert.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=D+rBRiwvqIt+Jhrq6FSfm8d4SD0uwHvZQMRui88L3wg=; b=Z2DhKKBUBSgAs/XneLZT3UhIDNLqN6I0uKpDY48x/xtB9Avyd4PE+TAc599cNvlmmkbcn/kxENCZxgzCTjMWAv983ylT3L/fBoPC1QKPG/GLaxHSfnPTTIbqWJ7ysCiSxH1uNxEGubqtMxr81e8DmHEDwQn0zHc/Bt8miqA+NrHEwHZNQBr1affe7u8DgccbmEKQO7nWGecSELOdlL6hnuG4wwL3eRbjtyrVQnjcL6xrEpK3LCxvxeR5oUcCWu6TLCtud7yeAY3jdJgFBNgHj406xJKRtxhQfwnMi47riE5QQIlqrRkHiMoPAldESYsbPVfIYKULU4IRMsU600UvcQ==
Received: from DM6PR14MB2186.namprd14.prod.outlook.com (2603:10b6:5:b6::16) by CH3PR14MB6937.namprd14.prod.outlook.com (2603:10b6:610:130::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6222.28; Sun, 26 Mar 2023 22:03:42 +0000
Received: from DM6PR14MB2186.namprd14.prod.outlook.com ([fe80::690a:c354:fd5:aad5]) by DM6PR14MB2186.namprd14.prod.outlook.com ([fe80::690a:c354:fd5:aad5%6]) with mapi id 15.20.6178.041; Sun, 26 Mar 2023 22:03:42 +0000
From: Corey Bonnell <Corey.Bonnell@digicert.com>
To: Andrew Ayer <agwa@andrewayer.name>, Corey Bonnell <Corey.Bonnell=40digicert.com@dmarc.ietf.org>
CC: "acme@ietf.org" <acme@ietf.org>
Thread-Topic: [Acme] ARI: Indication if certificate will be revoked
Thread-Index: AQHZXMuhKQnI+w7Iz0yzU/B+rYwgz68HEINwgAAwKACABmCc4A==
Date: Sun, 26 Mar 2023 22:03:41 +0000
Message-ID: <DM6PR14MB2186D38E464FA5E86C9ACFFA928A9@DM6PR14MB2186.namprd14.prod.outlook.com>
References: <20230322103538.975d953c92be1463f2347a4e@andrewayer.name> <DM6PR14MB2186F5867BDDAB1394F2A23492869@DM6PR14MB2186.namprd14.prod.outlook.com> <20230322163024.d6274767c10df709d7293171@andrewayer.name>
In-Reply-To: <20230322163024.d6274767c10df709d7293171@andrewayer.name>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=digicert.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: DM6PR14MB2186:EE_|CH3PR14MB6937:EE_
x-ms-office365-filtering-correlation-id: b52d1e4f-14e6-4a49-06a3-08db2e45f61e
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: sC5cHLpuuK6D0QvAoEQmtZExwOslmJ4spFjGuS9mJM3friDnbjRb1zldNZhz2A9ReLow1/o06AQi6Z+noHS2To7Iy5NZIIzPnRuHZWKx8mO0ixeI+FvJrgmRvDZV/gLw+LsAGC2JVzJKuIDI+Jj1vs2qivYPcOmb8Sj29yO0ZgWBnzEuCx86Cch7jtofBNHdevXMWKO4XV7Zyw6CHzvjdwMhsmIt6HxhnWQqJZyY8t0oOfBY/MvWsQaTkpxvc/t7NxONSclSFo+ORTer9rMmeCxjo6leeWEe5PW7K53/YmoBzUr9fETjieH8oh9LzPo/4fvwQSkDaNf2JeALstH9UR9NW/o8YeHPvnrsgIzr42MPXpq7KHO8ZdA8jrdW0cqIvLHGcjpgL/+PE5/yS4Zyyim8Z1aL3MSQI3u6FVISTwzOW6fwWV9anTd0myZGPuBlUWkQ8ovHZbGOsSf1HahBY07bxFTSapm3iM+iOgd90jn1CHN0tU2re6sAXMf/doFGY4Vv1mCjy1LjCbicmYoF1oD4gMDIkuhjaZ1RQMDWa1YmzblBtM8S5gcdVyDWO0dx5qBS4RUi6Lk1fwYjosUf4luw/tCTHzsqOlxfxCD5qn4=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM6PR14MB2186.namprd14.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230028)(4636009)(376002)(136003)(39850400004)(366004)(396003)(346002)(451199021)(83380400001)(76116006)(4326008)(66446008)(66476007)(66946007)(66556008)(64756008)(8676002)(966005)(7696005)(71200400001)(478600001)(53546011)(9686003)(26005)(186003)(6506007)(110136005)(316002)(55016003)(38070700005)(2906002)(33656002)(86362001)(41300700001)(52536014)(38100700002)(5660300002)(122000001)(8936002)(99936003); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 7qIPiLy+M4o4+KulZM38kshUaLsubUwg865AVmst5OnmAKVyZm7P4iD05luZl58hI/aU93nvkQcMVvnT1rh6dAOgIUpbKtLq2gLv87mDfefJ+Dxyx5hqEqiabNUrRMlF342n0MK/v/UOHCzLDIu2aGZVoulGq5+VuISysMZljUnQZtRhcs6DQuenxbOpIfepBaNFZTFh1/GamvN1qWpyb8Ubu5XotNAhVro7Pr2laX6lY9q7TGeI5/Bp96cXDvfPeZZOJw+6H8WfaT0410hW7kb/5fqeMvUMnh9cuSj/Ggcz2NPTVFrbuDsiAQuM2i5jrY1O+Ahby7jOAmVTRNYO9mqDWscT+5jUzMGEiBjYi3YU503wBD3LwpybJt6VTUijGOAq52BbQodlbGDSk2ZKgh3pH43srfC6Am07iM3vhZ/8mXfcu8tmKkaSUTN0rpqV0g3x/MFw4Sz+E36qo8KZvjXNps3YK/1Nrig2qUtIxIgQ7vEBoCyGhwjZFE26EZ4J5ma8qlezpba34/VYyijeYh160CoRIlJiFreBGkqBn7r+LPvbD7h38iuvDFpwCJCyiz6NN/IH+E5lwvLXF6pdjHAcYfewNmX+sAx9KaoSBIDnmUxgmlow1OGJg5LKj9YeUsTEZLDnw8GYv+c2eu1zBGlsPY3Ezhe3JH74wYLTEXRtI5wzgsidOuBlbs1dxCGRwCRw3UYVKSDq1s4P8fHll3xBN33Mh/I3m3wuVrtYLz9l8H1J8ZraX+XZkLcVxel6djTn4f/aQ/2YmtjNQGJlpSyEXBu1lC7d91/lKIvgnMFI9JZ7aZ+KSETKlYtZRJyADnL30oR1/gLF5r9RCt6bv/e8dtW1pj4tFItSWjGCUxYLcuIhWzHbsl3c7uBurzvStE8tUmzf9Cdk7iSgzQ9Op93r3hts0XpMXbB6dXUAHxeFG2QmPplI5cI2Yg/T1+6OQX6rrJ3qjSZcLsZOLSx7H4F86YqMg1VxncCiza4cL6hbU3dUAcEqyqhe3sTccsOAZAD/IKtHRb0aD5aQtrlh6F6jgifaySPsCs6pGIcCnTGN2fMG9me/6udQrN1rJsyCAqlq/AdS+lCmpoXMnXKWSv6PRK54U4WJbFxKHmcaFT84feXSAYaRpkS6N9ReUpApU+siJqOHbm5qbYjaTcA59rS8XaimmPrq4K2BoLRKjwAbQeD/5zbaUVLACN8N4Ii/WU3Yn/EmihragAnUVKbfthy6LBgye94RjtjCGAYf2LBsOWzlC9bWcUXtg8keI8YskMqspax/Esmi3owuAmpnZI1+MChpBs/FhZ4j8muZ6W8pTmwWhHjYljphbXvQbl1/lJDJniBS+K34S3LSw48FU3zvDzIgP6D1IKOU4h1mJacREx5EMaK5eIoZKNeduyEqV0f+BYq8o+9Srx5a3C/hp8W7S5cGJkalCkYhKMr/j2rb5XXDk8tlwk0ohLVlsndrb6du9v7H4lo5v3IuXhTLuBQJ4f88RKnXnxTGaOuWZLSZHpTsUlJ8ACVS+08g4lVCJqUJOLjJoBeGre77BB8DXJVRlbREOQz6AHGhniuGWd9DCA+Sq7ciZt29MwxEB1nlMNzxF1JNHjbdRlG8eRTtnw==
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="2.16.840.1.101.3.4.2.1"; boundary="----=_NextPart_000_01C5_01D9600D.4B759A20"
MIME-Version: 1.0
X-OriginatorOrg: digicert.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DM6PR14MB2186.namprd14.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: b52d1e4f-14e6-4a49-06a3-08db2e45f61e
X-MS-Exchange-CrossTenant-originalarrivaltime: 26 Mar 2023 22:03:41.9372 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: cf813fa1-bde5-4e75-9479-f6aaa8b1f284
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: AC3M+dJG8HTUUvqLBkzYdRGYgZuWAWGn1BnIyWmfDAC+Z5rJszur14kXJjjd4qJOaZQD7dGFni34xU/LkQRTaL3gHCtAmVBxvW1N8/Pj+bw=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH3PR14MB6937
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/QMZtBSaKbfun8-SXSPps0YgBnlk>
Subject: Re: [Acme] ARI: Indication if certificate will be revoked
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 26 Mar 2023 22:03:52 -0000

Hi Andrew,
> That could potentially be useful.  Do you have any other information in
mind that would be included?

My initial thoughts are that a "reason" field with a URN denoting the
rationale for the specified renewal information (pending revocation,
expiration, etc.) would be useful. Each reason could then have specific
fields, such as "anticipatedRevocationDateTime" for the revocation case, or
even the anticipated RFC5280 revocation reason code.

The "explanationURL" could also be moved to this structure as opposed to
being a top-level field, as it is metadata-only.

Even if only a few fields are defined within this metadata-only
sub-structure, I think there's value in putting all metadata-only
information within this sub-structure to avoid polluting the top-level
namespace if additional fields are needed in the future.

Thanks,
Corey

-----Original Message-----
From: Acme <acme-bounces@ietf.org> On Behalf Of Andrew Ayer
Sent: Wednesday, March 22, 2023 4:30 PM
To: Corey Bonnell <Corey.Bonnell=40digicert.com@dmarc.ietf.org>
Cc: acme@ietf.org
Subject: Re: [Acme] ARI: Indication if certificate will be revoked

Hi Corey,

On Wed, 22 Mar 2023 17:55:59 +0000
Corey Bonnell <Corey.Bonnell=40digicert.com@dmarc.ietf.org> wrote:

> Hi Andrew,
> Is the purpose of the "revocationTime" field such that ACME client 
> behavior would be different than the recommended replacement 
> time-selection algorithm in section 4.1, or is it to provide richer 
> metadata about the pending replacement window that is potentially 
> human or machine-readable?

It is the latter - to provide richer metadata about why the window is what
it is.  ACME client behavior would not be affected.

> If the latter, I'm wondering if we could consider defining a RFC 
> 7807-style "problem document" format that would provide fuller 
> information that is both human- and machine-readable. The 
> "explanationURL" field as it currently exists in the draft might be 
> useful for conveying human-readable information, but defining a fuller 
> representation of replacement-related metadata would also allow 
> machine-readable information to be conveyed.

That could potentially be useful.  Do you have any other information in mind
that would be included?

Regards,
Andrew

_______________________________________________
Acme mailing list
Acme@ietf.org
https://www.ietf.org/mailman/listinfo/acme

v2.23.0 | Report a Bug | By Email