[Acme] Re: ACME and PLANTS
Seo Suchan <tjtncks@gmail.com> Mon, 13 April 2026 20:07 UTC
Return-Path: <tjtncks@gmail.com>
X-Original-To: acme@mail2.ietf.org
Delivered-To: acme@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 6B852DB897F9 for <acme@mail2.ietf.org>; Mon, 13 Apr 2026 13:07:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1776110852; bh=tgyomlEbmMREde++d4ir/T6rIr3+Cz2gbv49Cyxm6lo=; h=Date:From:To:Subject:In-Reply-To:References; b=m/e8lqZ3jWGwTMO2U41h15d4hpdMcBFpHb65SPXOhUj2/dvmCzXxfMKO9hzeSyMkJ 0w4tBI6XIkIhf9IJ+hlBHwgf4YepJGiOp+uLt2+PLsqrfM72iLXieQ/HEkZnN3TLBf JLe/N2qywSbDxd7YvObfUSNaFNEp+fqQkkI8xZdA=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -0.588
X-Spam-Level:
X-Spam-Status: No, score=-0.588 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, FROM_LOCAL_NOVOWEL=0.5, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=0.999, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01] autolearn=no autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EUSByzV7ToBt for <acme@mail2.ietf.org>; Mon, 13 Apr 2026 13:07:31 -0700 (PDT)
Received: from mail-yw1-x112c.google.com (mail-yw1-x112c.google.com [IPv6:2607:f8b0:4864:20::112c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id BC6B5DB89288 for <acme@ietf.org>; Mon, 13 Apr 2026 13:06:26 -0700 (PDT)
Received: by mail-yw1-x112c.google.com with SMTP id 00721157ae682-7982c3b7dfcso47031367b3.0 for <acme@ietf.org>; Mon, 13 Apr 2026 13:06:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1776110786; x=1776715586; darn=ietf.org; h=content-transfer-encoding:mime-version:message-id:references :in-reply-to:user-agent:subject:to:from:date:from:to:cc:subject:date :message-id:reply-to; bh=pNNGnUEGID255PCbrg5YeGvzF68bg6/fJtSYuC9l+W8=; b=iSAQ0Ed6zAaNa9zYtc5trWIA0OXkxkhA8Y+q0cZjc523+A/cRznTBe0eJmZwHiedJt vzyBSq2bzWjTJB9wEKoaZQyb98KhhmoCoJK6l3unNxNOFY2DcIN88AARPJfCyqmNYJaK 4WdzHx9I3qcaCzaNS4nICAhvYRE0nZaUGiytcsA9JC/vQyXZqsGy+RYbLyTqRl3ARxWN 7sQvb/XuGsKiyKtsNc+ql8yH/xwMGxvwXtchEuZ15SXlFjde08iTXBnb7fxx2XCLi2Be q6PYa9aQkeGYhQnADoYDmUiclrQDdeAZU+JrbXVLE61xbnteZWQ9HjB0yUGdHcd1N9K3 nWWg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776110786; x=1776715586; h=content-transfer-encoding:mime-version:message-id:references :in-reply-to:user-agent:subject:to:from:date:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=pNNGnUEGID255PCbrg5YeGvzF68bg6/fJtSYuC9l+W8=; b=aCajeTo9/bKYAIOprq8L8y4a4G6bPlw79x219naBEmPLei4/e/eoq4iXS4zFCuWr6k Fpwt+EdH0Osn9yTYtG0yEWR21SlhTb51FIzntdLDrgD97A2cldxxyeb6ekamwVDEMjoT HzxIaaoyettkSzLHcSPCjVTijzQFkg/12pjKUGn8ypArohfDlR43kSLJa57yjV6NLrXm 7scsta6xaA07H20iOB4hvTr2Ntox7XmTu3MHQKR7IjdEYLc1t15+L69fDg/O1CcZbMcn yqO6aEwQ3o9yjk3veWyj+fqNkNYZSpVYPkeFNxiLpLRzJs8VFsUgKQm3/+6g1NYjZAGr yGJw==
X-Gm-Message-State: AOJu0YyH2BFuLkngBS8Sk4MCil0T1rTg97xVUMwHfZfhJAmPSvUJ3x+1 xfzQqIp4IYSvTZ/DF71PggvYTUzUKFDbp9S2CHW0R3WecjgmzE7jQAwbLf/vZQ==
X-Gm-Gg: AeBDieugNfydbaRXde3BcRu1c/F8GLf5cWTdmPmxtzQ7Kuf0Fmg970L3f6QJ0P4X8Ju H+eJguNN67v4T2EgNSiuLpPHN2fK/cBTKRiXR8YGCfq2YeeyqWf7dTmLtPh/Ast2quxa4lrrSkn LgUdCGcAJktQpWVHSGj34JVVv5B2ehaowMZxvrMA1PvMjdvtDr3aKNsUIOxMWetDzU3bBXF06Tt wUHDHY/gr8Oo3ydIKjP/e2AZq+B1cEBGn7kfXGDXO4Jl2yTo0ejZsdz50XennRUwkhjgkGKSamJ ZDGN4tjRdvY5AZutN1x9IKdSkf9TldBRda9dHpeOK4lH4AvVnSI6BoQh6tDwS/RO8XdOk9CwBZ/ ky8EQ/ZzaqMdUF0hCHB8qO+oqO7QOuee2hjSGFp/X5QE75/J0g0/Jv6Ts4yAVDJs96Tn15YIkzo 5v5DOgrnRX8OZdtU4WwD8d0eFO1CudE1tskTQZ/gFI/Vz56w==
X-Received: by 2002:a05:690c:e651:b0:7a1:a19:2c55 with SMTP id 00721157ae682-7af70f92767mr107296957b3.27.1776110785738; Mon, 13 Apr 2026 13:06:25 -0700 (PDT)
Received: from ehlo.thunderbird.net ([2406:5900:1038:15ba:ad9c:8caa:ec33:807a]) by smtp.gmail.com with ESMTPSA id 00721157ae682-7af3d5b0a42sm57943947b3.21.2026.04.13.13.06.24 for <acme@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 13 Apr 2026 13:06:25 -0700 (PDT)
Date: Tue, 14 Apr 2026 05:06:21 +0900
From: Seo Suchan <tjtncks@gmail.com>
To: acme@ietf.org
User-Agent: K-9 Mail for Android
In-Reply-To: <CAN3x4QnqyQkobC+S_Er01YSGJ_tVXHqRCRnzMjxNMRBpeQihqw@mail.gmail.com>
References: <CAF8qwaApZbT5C1q3-g5yTPxYJTuJeZqMgb=_Gu=hqYRnrtiJkA@mail.gmail.com> <CAN3x4QnqyQkobC+S_Er01YSGJ_tVXHqRCRnzMjxNMRBpeQihqw@mail.gmail.com>
Message-ID: <D0415B67-4259-4320-A273-BC0910B86A9B@gmail.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----797WAS6YA50NNOFJMLENLLA3G037AE"
Content-Transfer-Encoding: 7bit
Message-ID-Hash: ZBYDYLMFPHKBYRFQWP4EWHK4DYD3MERI
X-Message-ID-Hash: ZBYDYLMFPHKBYRFQWP4EWHK4DYD3MERI
X-MailFrom: tjtncks@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-acme.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [Acme] Re: ACME and PLANTS
List-Id: Automated Certificate Management Environment <acme.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/SCFh5bxcEshoDMofvjeRNJU4fLs>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Owner: <mailto:acme-owner@ietf.org>
List-Post: <mailto:acme@ietf.org>
List-Subscribe: <mailto:acme-join@ietf.org>
List-Unsubscribe: <mailto:acme-leave@ietf.org>
It may be stupid idea but can we use landmark-relative at main finalization (with async finalize) and make a new endpoint for standalone certificate? I fear standalone at old endpoint will cause most (old) client will never patch for landmark-relative at all and use standalone for everything because it works On 2026년 4월 14일 오전 4시 53분 57초 GMT+09:00, Jacob Hoffman-Andrews <jsha=40letsencrypt.org@dmarc.ietf.org> 작성함: >I've drafted another approach to the integration here: >https://github.com/ietf-plants-wg/merkle-tree-certs/pull/207. Copying the >pull request description: > >An ACME client polls landmarkURL (which may be shared across many >certificates) to determine when a landmark-relative certificate is >possible. Once a landmark-relative certificate is possible, the ACME client >POSTs to newRelativeCertificate (from the directory). > >Advantages: > > - No new states in the Order state machine. > - No new polling semantics for certificate download URLs. > - CAs do no extra work for clients that don't want relative certificates >(or: clients can defer getting relative certificates until they see that >traffic justifies it). > - Order lifetime does not depend on landmarking period. > - All HTTP requests are expected to serve 200 in the happy case. > - The new field in the directory serves as a signal that the ACME server >supports Merkle Tree Certificates. > >Disadvantages: > > - ACME clients will tend to rush in and request relative certificates as >soon as a landmark is minted. Options: > - CA returns 503 if load is too high and clients backoff and retry. > - Some mechanism for clients to decide how long to wait after a landmark >is minted before requesting a relative certificate. Perhaps interpolation >based on size of landmarks? > >Keeping list context together: David Benjamin recently proposed a different >approach, based on continued polling of order objects after the standalone >certificate is issued: >https://github.com/ietf-plants-wg/merkle-tree-certs/pull/203. This was in >response to some good points about HTTP statuses made by Watson Ladd on the >plants@ list: >https://mailarchive.ietf.org/arch/msg/plants/_vf4hEt9g4n6CdriRrtZO5ZGwOA/ > > >On Thu, Mar 12, 2026 at 10:53 AM David Benjamin <davidben@chromium.org> >wrote: > >> Hi ACME folks, >> >> (I wasn’t sure about cross-posting etiquette, so I haven't CC'd plants@ >> here. Rather, I’ll point plants@ to this thread shortly. Figure it’s >> always easier to merge threads than to split them.) >> >> For folks who haven’t been following, we have a new PLANTS >> <https://datatracker.ietf.org/group/plants/about/> WG! It’s definitely >> not just an excuse to make plant puns. The WG recently adopted Merkle >> Tree Certificates >> <https://datatracker.ietf.org/doc/draft-ietf-plants-merkle-tree-certs/> >> (MTC) as a starting point. This is all quite early (and obviously I’m >> just speaking for myself and not the group), but there is some overlap with >> ACME and I figure it's better to start conversations sooner than later. >> >> The draft has an initial pass at how to put them together here. Happily, >> it seems ACME is already rich enough to express what MTC needs, with >> fairly minimal additions/guidance: >> >> >> https://www.ietf.org/archive/id/draft-ietf-plants-merkle-tree-certs-02.html#name-acme-extensions >> >> Some context: >> >> These slides >> <https://datatracker.ietf.org/meeting/124/materials/slides-124-plants-solution-space-and-dispatched-work-00> >> from the BoF are a good starting point for how MTC works. The ACME >> interaction is that, for each certificate request, an MTC CA returns two >> certificates: a “standalone certificate” (large, immediate, generally >> usable) and a “landmark certificate” (small, delayed, not generally usable, >> optional). The CA... >> >> 1. Validates the certificate request. >> 2. Appends the information to a log, signs it, etc. This step constitutes >> issuance. >> 3. Constructs a standalone certificate that serves as proof of this >> issuance. >> 4. Waits some time (hours) for a “landmark” to be allocated. >> 5. Constructs a landmark certificate that serves as an alternate proof of >> this same issuance. >> >> MTC wants a way to configure ACME to deliver both certificates (one >> immediately and one that the ACME client can optionally retrieve later, >> after some delay), along with any metadata needed for the TLS server (etc) >> to select between the two. >> >> The current proposal is to use ACME's existing alternate URLs feature, >> modeling the delay with the HTTP Retry-After header from RFC 9110. (Another >> option is to make multiple orders. That would let us model the delay with >> the "processing" status, but since it’s one validation and issuance event, >> one order + alternate URLs seemed a better fit.) >> >> Thoughts? Is this a good approach to using ACME? >> >> David >> >> PS: This is not directly part of the Profile Sets proposal. I’m quite >> behind on my inbox and need to follow-up on that! :-) For MTC, the two >> certs correspond to one issuance event and are renewed together, so I think >> we want only one order. Though the problem space is definitely related and >> perhaps my initial guess at one or both was wrong! >> _______________________________________________ >> Acme mailing list -- acme@ietf.org >> To unsubscribe send an email to acme-leave@ietf.org >>
- [Acme] ACME and PLANTS David Benjamin
- [Acme] Re: ACME and PLANTS Ilari Liusvaara
- [Acme] Re: ACME and PLANTS David Benjamin
- [Acme] Re: ACME and PLANTS Mike Ounsworth
- [Acme] Re: ACME and PLANTS Michael Richardson
- [Acme] Re: ACME and PLANTS Michael Richardson
- [Acme] Re: ACME and PLANTS David Benjamin
- [Acme] Re: ACME and PLANTS Ilari Liusvaara
- [Acme] Re: ACME and PLANTS Ilari Liusvaara
- [Acme] Re: ACME and PLANTS Michael Richardson
- [Acme] Re: ACME and PLANTS Aaron Gable
- [Acme] Re: ACME and PLANTS Ilari Liusvaara
- [Acme] Re: ACME and PLANTS Ilari Liusvaara
- [Acme] Re: ACME and PLANTS Aaron Gable
- [Acme] Re: ACME and PLANTS Ilari Liusvaara
- [Acme] Re: ACME and PLANTS Jacob Hoffman-Andrews
- [Acme] Re: ACME and PLANTS Seo Suchan
- [Acme] Re: ACME and PLANTS Aaron Gable
- [Acme] Re: ACME and PLANTS Michael Richardson
- [Acme] Re: ACME and PLANTS Ilari Liusvaara