Re: [Acme] Authorizations and Certificates in Registrations

Niklas Keller <> Sat, 05 December 2015 20:10 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 91CCD1A9059 for <>; Sat, 5 Dec 2015 12:10:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.427
X-Spam-Status: No, score=-0.427 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HELO_EQ_DE=0.35, HTML_MESSAGE=0.001, J_CHICKENPOX_34=0.6] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Z0hjxumEtkzB for <>; Sat, 5 Dec 2015 12:10:03 -0800 (PST)
Received: from ( [IPv6:2a01:238:20a:202:5300::8]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 9E5221A904E for <>; Sat, 5 Dec 2015 12:10:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1449346200; l=4079; s=domk;; h=Content-Type:Cc:To:From:Subject:Date:References:In-Reply-To: MIME-Version; bh=VEoMs6UKuOCoOW6zzhZQANxNEhykNERGq//s9dhDUrg=; b=tBSazQ7ItSPywgVn4bgOcXby7xxTT09cpLnG1IhksgORF3vD/gQ54MkQpI8vGXeOaQH yCI8N6McGdp6QRvIEFl34tDrj+7v1DE2yTDyei+qFboPJm+a4zpMAi0RD6C/0hrUnoQba 0+h8l7/C2pnXlTOO0sLgcbOnPqlnHoFI46M=
X-RZG-AUTH: :IWkkfkWkbvHsXQGmRYmUo9mls2vWuiu+7SLGvomb4bl9EfHtO3Q6
Received: from ([]) by (RZmta 37.14 AUTH) with ESMTPSA id N04073rB5KA0lAA (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (curve secp384r1 with 384 ECDH bits, eq. 7680 bits RSA)) (Client did not present a certificate) for <>; Sat, 5 Dec 2015 21:10:00 +0100 (CET)
Received: by wmww144 with SMTP id w144so104635585wmw.0 for <>; Sat, 05 Dec 2015 12:10:00 -0800 (PST)
MIME-Version: 1.0
X-Received: by with SMTP id at1mr24238957wjc.39.1449346200021; Sat, 05 Dec 2015 12:10:00 -0800 (PST)
Received: by with HTTP; Sat, 5 Dec 2015 12:09:59 -0800 (PST)
In-Reply-To: <>
References: <> <>
Date: Sat, 5 Dec 2015 21:09:59 +0100
X-Gmail-Original-Message-ID: <>
Message-ID: <>
From: Niklas Keller <>
To: Jacob Hoffman-Andrews <>
Content-Type: multipart/alternative; boundary=089e013c615068bb6605262c35e9
Archived-At: <>
Subject: Re: [Acme] Authorizations and Certificates in Registrations
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 05 Dec 2015 20:10:04 -0000

2015-12-05 20:38 GMT+01:00 Jacob Hoffman-Andrews <>rg>:

> > what's the reason why "authorizations" and "certificates" are optional
> in registration objects? They should both not be optional IMO, because
> they can be used nicely to lower the load on the CA, because clients can
> reuse prior authorizations and even download lost certificates easily.
> This makes also revocation easier, because you can simply list all valid
> certificates for a given account key.
> This is a good question. I would support making it mandatory in the
> protocol. We haven't yet implemented it in Let's Encrypt, but it's on
> the roadmap and it's an important feature.
> Speaking of which, I've been meaning to suggest a fix to this feature.
> Right now it specifies a list to be embedded in the new-reg object. It's
> likely that some registrations will have very large lists of
> authorizations and/certificates, making them prohibitive to embed
> directly in the registration.
> Instead, I propose that there be a URL for authorizations and a URL for
> certificates for each registration. These URLs would return a JSON list
> of URLs for the relevant objects, and possibly a Link header with
> rel=next for pagination if the number of results is above a
> (server-configured) threshold. Pagination is a very common approach to
> large data sets in web services.

It's already an URL, but paging isn't mentioned yet.