[Acme] More specific error codes for certificate revocation, at least for some cases?
Felix Fontein <felix@fontein.de> Tue, 12 June 2018 21:04 UTC
Return-Path: <felix@fontein.de>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F0D92130E94 for <acme@ietfa.amsl.com>; Tue, 12 Jun 2018 14:04:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (4096-bit key) header.d=fontein.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YWoZiIlTocQy for <acme@ietfa.amsl.com>; Tue, 12 Jun 2018 14:04:26 -0700 (PDT)
Received: from fontein.de (fontein.de [IPv6:2001:1680:101:2a::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 08BAE130E96 for <acme@ietf.org>; Tue, 12 Jun 2018 14:04:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=fontein.de; s=20160508; h=Subject:To:From:Date:References:Cc:In-Reply-To; bh=p9yym6yBXK2Wu8R+Zkq0qutLm4ju/mxyKYJw7zBHhxA=; b=FP71bDdDEr2jM+aJsL1QwEGVKJ r+M9AilhMT4v94y0YSixiohBh4Xg4ezQfkIvSiQF4BdEQJGEhBO9NsBYFQyA5PMKGVxzUNaMR1aV3 /7RCeYx8KsxJpW0ZPOTibwiEVTuFAEvWC3G6Qcple12hyob2slJUKM0b6+qScrlNWg0Vi5fWYvBTe X4XmVl/abgyPHo4prpecFVpcCJiPFXcK1wX/QFhmH39h6cDajoaXSOhO4Yef74ZANI+vMk7hhUJe4 zp4PQkTaX+Z7pS+1kyr/pUqBESyF51vaiv1Q5LBwYyI72OFWnxK6IR/CPJhaRt9+f3VpYPHfJy+iW Q+1JOFeTU0i0yhfpZKUgxG82PCqJddSk6zLQlUsxZ5Adpul0S5YoQmexYJJY62rFDt2herKuxSftq ZLP7tGMl+OLbMqfOKjWxbH2PuotPrdXnroBd1Nqz8w1saYu4wKzWjKd1sZZGYHF068HzV5YAvbtQ/ +NTHPiGR72d5t0fcW0BqHNDvtlFlTl4/Uz8UGzUafAbTMb9zgyFPOtWxX0qOg6GyDShiwc/DD9Sz2 igb1JiMMh545eJVgPyl/p95JVYtlrzKeQJeyvOao6QeTxQUyM6fJvt1xRiXPm1uFuWUGKo4ck/qxK 1NVooIvNivGAN8ct1VWMNjmchVTnp6GvGqoZ1bPmk=;
Received: from 77-58-146-129.dclient.hispeed.ch ([77.58.146.129] helo=rovaniemi) by fontein.de with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim) (envelope-from <felix@fontein.de>) id 1fSqSh-0004gC-69 for acme@ietf.org; Tue, 12 Jun 2018 23:04:21 +0200
Date: Tue, 12 Jun 2018 23:04:18 +0200
From: Felix Fontein <felix@fontein.de>
To: IETF ACME <acme@ietf.org>
Message-ID: <20180612230418.3b0691fd@rovaniemi>
X-Mailer: Claws Mail 3.16.0 (GTK+ 2.24.32; x86_64-pc-linux-gnu)
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
X-Spam_score: -2.9
X-Spam_score_int: -28
X-Spam_bar: --
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/RRtoZsD4ZTVRXddtORwMp4Jj4Ac>
Subject: [Acme] More specific error codes for certificate revocation, at least for some cases?
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Jun 2018 21:04:30 -0000
Hi, while implementing certificate revocation in an ACME client, I noticed that the current ACME draft is very vague about errors to return when revocation fails. The draft says "If the revocation fails, the server returns an error." (https://tools.ietf.org/html/draft-ietf-acme-acme-12#section-7.6), which is followed by an example which returns urn:ietf:params:acme:error:unauthorized with detail "No authorization provided for name example.net". When trying this out with Boulder (Let's Encrypt staging), I noticed that Boulder returns urn:ietf:params:acme:error:malformed with detail "Certificate already revoked" if the certificate has already been revoked. On the other hand, the Pebble testing server simply returns a 404 error. I think it would make sense to define more specific error codes the server could return for certificate revocation. In particular, there should be an error code for "certificate has already been revoked" (maybe urn:ietf:params:acme:error:alreadyRevoked?). This would make it easier for clients to detect this specific situations. The rationale behind this is that it allows the client to distinguish between errors which require no user interventions (if the certificate has already been revoked, the action the user wanted to perform did fail, but everything is fine since there is no need to still revoke the certificate), and errors which require user intervention (if the certificate was not revoked, and the user has to do something to make sure it is really revoked, like providing the correct account key / private key). Without a well-defined error, a client author has to guess (or simply assume that every server behaves as Boulder and sends the same error detail). Thank you for your considerations, Felix
- Re: [Acme] More specific error codes for certific… Daniel McCarney
- [Acme] More specific error codes for certificate … Felix Fontein