IETF Logo Mail Archive

[Acme] ARI: Indication if certificate will be revoked

Andrew Ayer <agwa@andrewayer.name> Wed, 22 March 2023 14:35 UTC

Return-Path: <agwa@andrewayer.name>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1367AC14F736 for <acme@ietfa.amsl.com>; Wed, 22 Mar 2023 07:35:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=andrewayer.name
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4C7QemMRTn9Y for <acme@ietfa.amsl.com>; Wed, 22 Mar 2023 07:35:40 -0700 (PDT)
Received: from thomson.beanwood.com (thomson.beanwood.com [18.220.42.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 53AB8C15952A for <acme@ietf.org>; Wed, 22 Mar 2023 07:35:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=andrewayer.name; s=beanwood20160511; t=1679495739; bh=ffevmG/aZiXEV3mh8h+3+ue3PE7IqrH2/VoN4d4egHU=; h=Date:From:To:Subject; b=Mx+ZD7TvoowZxHMsDVZOWBECpyhl0ap/sCqBVhLCW28znIvwkOHXlBTronn7FLcab fpfsBlk2/pQqF4yfmZhyXRsq2Tln6SApVIhbBMkd/Dv3Ap7gD2KJXbp4ADtAeqEOK9 QE7I0JVKByrLc59n2HuA//kW8zAhXr7P/7InqMr/+RKqvPvEoa0qGlP47LV4dqIzfU 2mxv17+9SyJNO8BKJehMWinG6tyda1TKykzes4u0+8SNNKfXzAEVIxex5rEJKu/E/1 AogIpWYrgr2SuXH381YyebJEJNa61wLQ04ldauPDWnIzSsa6Kox6PIwwIR3gAQ9P8F dZ4mkdHT7iRvA==
Date: Wed, 22 Mar 2023 10:35:38 -0400
From: Andrew Ayer <agwa@andrewayer.name>
To: acme@ietf.org
Message-Id: <20230322103538.975d953c92be1463f2347a4e@andrewayer.name>
Mime-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/TGy6nCDril48LuzCdptiH025ywU>
Subject: [Acme] ARI: Indication if certificate will be revoked
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Mar 2023 14:35:45 -0000

I'm working on adding an ARI client to a certificate monitoring service
to notify users when one of their certificates is scheduled to be
revoked.  Unfortunately, ARI doesn't currently convey whether the
suggestedWindow is mandatory (because the certificate is going to be
revoked) or merely advisory.

I had previously thought that an end time that was earlier than the
certificate's expiration would indicate an upcoming revocation, but it
appears that Let's Encrypt's ARI endpoint routinely specifies an end
time that is ~30 days earlier than the certificate's expiration.

I propose that the renewalInfo object contain a nullable field called
revocationTime which specifies the time the certificate is going to be
revoked, if applicable.

Regards,
Andrew

v2.23.0 | Report a Bug | By Email