Return-Path: <Marin.Mihajlovic@asee.io>
X-Original-To: acme@mail2.ietf.org
Delivered-To: acme@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1])
	by mail2.ietf.org (Postfix) with ESMTP id 0E15ED9668AF
	for <acme@mail2.ietf.org>; Fri, 10 Apr 2026 04:25:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1;
	t=1775820333; bh=9WyGmC+cqXL3ekLivNVpbzYJELrV8UKbeT3UF+swbvw=;
	h=From:To:Subject:Date;
	b=Pgrmo6WM4dJlzyzGRZQqCUqYa6gP4aKMWscao8VftQCJqxD46zS1jgPcjm3jUPFjX
	 40PxlNwmBh5bWa1wsdy/sOfYuSLXTq7H3U03zo1mCVZrFsFh29y8zedhjWnItS9zXZ
	 MVLB77yBIDImVjs55yPSo/+11khF8oPkdUMSUvUc=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level: 
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5
	tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
	HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001,
	RCVD_IN_MSPIKE_H2=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001,
	RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_PASS=-0.001]
	autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (1024-bit key)
	header.d=assecoseero.onmicrosoft.com
Received: from mail2.ietf.org ([166.84.6.31])
	by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id nnQOCRILM_G6 for <acme@mail2.ietf.org>;
	Fri, 10 Apr 2026 04:25:32 -0700 (PDT)
Received: from AS8PR04CU009.outbound.protection.outlook.com
 (mail-westeuropeazon11021140.outbound.protection.outlook.com [52.101.70.140])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-384) server-signature ECDSA (P-256) server-digest
 SHA256)
	(No client certificate requested)
	by mail2.ietf.org (Postfix) with ESMTPS id ED37CD96689F
	for <acme@ietf.org>; Fri, 10 Apr 2026 04:25:31 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none;
 b=o5r/kEOOtnYPsORicdFy9IkvSVUtnFaYo+9CpF9JL065Af9xhvNOU2Z1yUhP6+tlGhcBgkxDqOubvdMF8dzT796xY/D6XgwN17xqzoXBkJaiDrPExnDQxMOVUpdFxfww6RglnTSayxDKCedFfBVVSW579lwLGT5V1sG8JAL81GHS/aBr0LqtudK6C8OAtDHA6iD8RYIpdzOf8p7P/0e9I/0Cyb4wEUzWNxnO/P1ZPCenE+CZbbai8+743Mr/JBjyfL1InBIzjTOuFTLkh9SCaH7n5TgLUy+LaKvEuFcMh6Tutx6Z78d7lP8UkqupzTic65WTYIpY4hKypReUTY2Tcw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector10001;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=ac++CxAgbI/1oejeJk5Dmf1fin/dcmYHxg4edlPpQlY=;
 b=Jl5OEr5XlemuXbSlTCNcHDBsiNoTnIeb6j3cKAC4j2Ytievo9leewiApx1P8jYUFJx7s0/p5MP8qqy6nWMthq27rT/nf9ya/rzxQTnYLUWgdhFNG3h/LMbpqG9aIMXz9B1lMYYHU6OnqlHzm/cosOLYGSKI3RRx6SLldgKfIWcl0gEMfOowDHsIhTIHViAMmOOsU0vua7L46HMYU9lc6QverG0qdZZpvFEGl+bEEVAp2szuZJ7u22xx37ag1TcZ2d+yT9C+at4vIHtuSm5I6d50AUEjg628O2vj4GklXHMCcIN/2O6ZcG6/XU3h9GUqAUuBsNM07X8bPO9js0z5SMg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
 smtp.mailfrom=asee.io; dmarc=pass action=none header.from=asee.io; dkim=pass
 header.d=asee.io; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=AssecoSEERO.onmicrosoft.com; s=selector2-AssecoSEERO-onmicrosoft-com;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=ac++CxAgbI/1oejeJk5Dmf1fin/dcmYHxg4edlPpQlY=;
 b=sViSG6sLROGXtR8sg9/qh1wpC9ytiP0wQx+lE64h/fKInP1syIzNJMLAssbRTDPq5uGomK2LYZv6oWfRNCyiznr5bkUNCoDVDClCbsRpbkscTcnnOy3bMtRg6voDPPfIKH5Krad+W1oGx1kvVNO9nYdjRpbyYOSHe7opxKjdCG4=
Received: from AS1PR05MB9651.eurprd05.prod.outlook.com (2603:10a6:20b:477::15)
 by DB9PR05MB9527.eurprd05.prod.outlook.com (2603:10a6:10:302::5) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9769.42; Fri, 10 Apr
 2026 11:25:22 +0000
Received: from AS1PR05MB9651.eurprd05.prod.outlook.com
 ([fe80::92b5:d196:c255:42f0]) by AS1PR05MB9651.eurprd05.prod.outlook.com
 ([fe80::92b5:d196:c255:42f0%6]) with mapi id 15.20.9769.020; Fri, 10 Apr 2026
 11:25:22 +0000
From: =?iso-8859-2?Q?Marin_Mihajlovi=E6?= <Marin.Mihajlovic@asee.io>
To: "acme@ietf.org" <acme@ietf.org>
Thread-Topic: Questions on ACME Protocol: Wildcard Certificate Distribution &
 Certificate Pinning for Mobile Apps
Thread-Index: AQHcyNoIO5pznEkm4kGft+pacYZwww==
Date: Fri, 10 Apr 2026 11:25:21 +0000
Message-ID: 
 <AS1PR05MB96515D12FA2B11DCE4B2F79D8F592@AS1PR05MB9651.eurprd05.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator: 
msip_labels: 
authentication-results: dkim=none (message not signed)
 header.d=none;dmarc=none action=none header.from=asee.io;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: AS1PR05MB9651:EE_|DB9PR05MB9527:EE_
x-ms-office365-filtering-correlation-id: 786dc43d-bb53-4e1c-5e9b-08de96f3da81
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: 
 BCL:0;ARA:13230040|376014|366016|6049299003|19092799006|1800799024|38070700021|4053099003|13003099007|18002099003|56012099003|8096899003;
x-microsoft-antispam-message-info: 
 rvvtxKBQRxSo1QKZdYviJMfoPGRpBxq/8+s2Tnx93BJTqky22bRxl5sToR40mztozjPtqucKDFzR6RxWRlED8TJVL/P6R3/n6QAiqrhl40wwGj97emXfDaTKQAUFe+t8wCM8DEwg9gZXAN9cfsl0otBi3i9Meh31/pUf/QP4SY4FoDo9bt4zqZKULHvJkzIKuBSIGontXcVHJ96hj7Luf/PTTHD5kSF/aX7beih0sl1VsC34oljjgcepZ0auAZN5pREw78W5GGpj/YmIJLZmb8icLWm9ec81CV1aBqoJSvLEYvLN6WuZA0y8Y3OazN7n9RiB3Y/Ok+sUswrfSfp3ot1cC4oqUJRswKkHYdlpEZX86Wn0Xp0NHFQMGHSWbnL4Rtq3PFdmHchkFyNm0pKlhbbE5d0JGJ+2HRKazWXinDZ4wi2DT9UsGsOUX+aTQhlgZn2Sf0X2crao78JBOZDJ1dgImrcLElCaDBMmfEuyDzmpatWsH/2ZnqG4ZQIk88Fo040m+2NP17OZCVENp+PSc/Jgf1yW8wZVwnjFnGkm/iB1ji80jrePgFAPB6TQOCZVIymZMPgM8I+/uU/cMZkg4HcPQ7pcbeq6r2RehjFtITMJwtRqMQ2388IBp6z04/huKtpQKNb3yfwbLZlLzYbLHlxQLugdZjH5IiZWRm05PyDWE3PBtls6TT+VzwLsNubKW5cW1sLM+RBI4QBiSWdzUtZOpVcN38Lqi+4czl2TmLOLT9CAkz6KWWLYGneanM69
x-forefront-antispam-report: 
 CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:AS1PR05MB9651.eurprd05.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(376014)(366016)(6049299003)(19092799006)(1800799024)(38070700021)(4053099003)(13003099007)(18002099003)(56012099003)(8096899003);DIR:OUT;SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 
 =?iso-8859-2?Q?WrNH/8nPiaCSCkkOB/mThec3ebjWVxDCaO1S657reWEJ7oPlpxT61fNVss?=
 =?iso-8859-2?Q?awQ8pQ0eyDv+R8ZzYQb9hxhL+YquCCvFR9S5BaPN0HtUtpHQOsP6eH38D+?=
 =?iso-8859-2?Q?sj/ATfRGyNQRtX+IfSpiRx9eMh185MRhEucEMcpPsfT5Kr4s/LD2FBAv/T?=
 =?iso-8859-2?Q?EtLazxt/4bKfaw5HMLzbuWTbwHG7yQL/GBKzSbumeB/TrfCR/0wZ1goomT?=
 =?iso-8859-2?Q?GlYSZ/de6tMyM7J3FqD0ClDsv9DvXHhMGraBTWDhMGF1tcgmcnaTfmM3nK?=
 =?iso-8859-2?Q?IURFz7RxtGyDGwr/MitdLWKQij8U9Yp52M3nGXMHHFYjT9dHoJ8fvYxbx7?=
 =?iso-8859-2?Q?W1St2L0+TzNnnFiKGdYt6qnyivNNvvA5Ow8OZK6FVRo0M3m+Uhs5iPuClO?=
 =?iso-8859-2?Q?jwOfVjgn3Hz65DmJqnvLfazSniMuPrvWOt39t5sZJuGGtVIjMfdKHRJjBX?=
 =?iso-8859-2?Q?4tuFHlHDr/APVftdf+BejWqb8BJE/G1Mn4Xov2NuDI3B6WeZS9Bl5MK5hx?=
 =?iso-8859-2?Q?GvXrFxnZSNjSt9rEeiCl7uhMmfxg9FHxDUZC8VXHJMxHq40fEbiQAL9wo2?=
 =?iso-8859-2?Q?egPT3cAicVnVR9BgV7bdJ2Ni8paqcqlNtnXhSXpePl4KMAIRCxWt495Lg+?=
 =?iso-8859-2?Q?kj68L5mqovEmdg3Mb6VrcOv+m+pXSL6eizTahVAiyiANH9rwXQic4O34A+?=
 =?iso-8859-2?Q?s6YilHSYurr7mpOjUYn5kcro+DD7gfOEXPlQLkbc5MuluqX5IvFFmuiHuB?=
 =?iso-8859-2?Q?E+mo9JytaKCfXkITi3u5zirurmz1Bj2Hb79GX1rgAQkRjEcNdyBj0CxDwa?=
 =?iso-8859-2?Q?Vmgfgf9nJhgunDJz+P4d7yJFlj5twbAsYimbRmdwHktyW9OvZvrzif52sP?=
 =?iso-8859-2?Q?c8WRv/rgIlCs28FC0N3CfefmEZ4C9/e6Y6A0dRK2bnpV8qHd4l+Yhj2zPh?=
 =?iso-8859-2?Q?BJuIPZeMV76L2Eh72REMU8wn++kYsy6B60V+iHQJRy/qLZBPXNFAqprL+1?=
 =?iso-8859-2?Q?C8Q7wjcesMAdf1BwL0UfXFo5gwBQVYIO4GFJ1zZXlNlkTBcNJLhWp20xls?=
 =?iso-8859-2?Q?B0Auni2uCnoaJx0UWlZrO3Xyk7rvfNsTQeE15PdG25qN73REliAkoITToH?=
 =?iso-8859-2?Q?nYdOZB7ez2pAU6xIxeHnE2qHhM/zkHRFrNIZmrR94lCqowslRAVQbDr4y6?=
 =?iso-8859-2?Q?mc9sj1cFKdutoaXSYvPyPUtEee4x051422xA26xXGB7W2HoS8OymqiHcRr?=
 =?iso-8859-2?Q?0earTvYYZvnmiihzbCFILesAS/MTJILNpG6hdHNaaH9YZ8dheXzLYF/yPx?=
 =?iso-8859-2?Q?QDXtZSyR5eJJIhXOpL+hQ2CgZ6/kX8c6GaCgmnu3doWBOMgxpaiwDVXBc2?=
 =?iso-8859-2?Q?wcaJdFCpHOnwq0TvPvjVb8U6h0uDahRyz9ekRzbNY/+HJ2vsW8l5j3I9lO?=
 =?iso-8859-2?Q?QCfhs0l71yXONt3SPp7pcW85uHB6JGCO4QTD3ZwnMHGwla8w+eaMqiUrh6?=
 =?iso-8859-2?Q?TVzDQJDLV9xVk/NFMN/dSTCjRboTXlH59myd9/KlQQADdT47LwGVOg6QL+?=
 =?iso-8859-2?Q?kS6m2/JpEEoCCaJDN5SPUjEqfNseJT8a98NZOjoJILo5O0RI2UEL5ZRw5U?=
 =?iso-8859-2?Q?GNfNGUH87YI8xxnQYUdqZhc4BlFVu9JVc5bCkV0xvOSHQfEIN8qup4vtxg?=
 =?iso-8859-2?Q?HZA7Gs4oRsPlmMdOYep6r3diK818mJlQYwEMruTNU5fqT9liA9DHYv0HNn?=
 =?iso-8859-2?Q?WsZg24UEWpNwmCbL8ofiXiSBh7zeZ4GAok+hzztGc1Bp9PLeTs93jwFJD4?=
 =?iso-8859-2?Q?rXe48he+hA=3D=3D?=
Content-Type: multipart/related;
	boundary="_006_AS1PR05MB96515D12FA2B11DCE4B2F79D8F592AS1PR05MB9651eurp_";
	type="multipart/alternative"
MIME-Version: 1.0
X-OriginatorOrg: asee.io
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AS1PR05MB9651.eurprd05.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 786dc43d-bb53-4e1c-5e9b-08de96f3da81
X-MS-Exchange-CrossTenant-originalarrivaltime: 10 Apr 2026 11:25:21.9736
 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: ddaad825-0556-4d4d-b64d-fb149c2e1bfa
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 
 kEzbkTFsn0jNbtT4b/7avlw/fA2EsBoDyxYBm9vnf7WL02fy9lnbrkV7dYf5RfNrDeKCepMdCb38YDGZyfnzO7kzITh/eJQxeCPyHbqs6xw=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB9PR05MB9527
Message-ID-Hash: 5BOMN3TM42OGCQ56M6JJI7K7T7KAMVG2
X-Message-ID-Hash: 5BOMN3TM42OGCQ56M6JJI7K7T7KAMVG2
X-MailFrom: Marin.Mihajlovic@asee.io
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency;
 loop; banned-address; member-moderation; header-match-acme.ietf.org-0;
 nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size;
 news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: =?utf-8?q?=5BAcme=5D_Questions_on_ACME_Protocol=3A_Wildcard_Certificate_Dist?=
 =?utf-8?q?ribution_=26_Certificate_Pinning_for_Mobile_Apps?=
List-Id: Automated Certificate Management Environment <acme.ietf.org>
Archived-At: 
 <https://mailarchive.ietf.org/arch/msg/acme/Tss_k4dHsJNYNeKlJPSTKt9IgvE>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Owner: <mailto:acme-owner@ietf.org>
List-Post: <mailto:acme@ietf.org>
List-Subscribe: <mailto:acme-join@ietf.org>
List-Unsubscribe: <mailto:acme-leave@ietf.org>

--_006_AS1PR05MB96515D12FA2B11DCE4B2F79D8F592AS1PR05MB9651eurp_
Content-Type: multipart/alternative;
	boundary="_000_AS1PR05MB96515D12FA2B11DCE4B2F79D8F592AS1PR05MB9651eurp_"

--_000_AS1PR05MB96515D12FA2B11DCE4B2F79D8F592AS1PR05MB9651eurp_
Content-Type: text/plain; charset="iso-8859-2"
Content-Transfer-Encoding: quoted-printable

Hello,

I hope this message finds you well. I'm reaching out to the ACME Working Gr=
oup with two questions regarding challenges we're facing in our certificate=
 lifecycle management, and I'd appreciate any insights, recommendations, or=
 pointers to existing work in this area.

1. Wildcard Certificate Distribution Across Multiple Servers

We currently use the ACME protocol to automatically renew a wildcard certif=
icate on a single server. However, the same certificate and private key are=
 used for TLS termination on multiple servers. At the moment, we lack an au=
tomated mechanism to distribute the renewed certificate and private key to =
all other servers that depend on it.

Does the working group have any recommendations or best practices for handl=
ing this scenario? Are there any existing extensions, draft proposals, or c=
ommonly adopted patterns within the ACME ecosystem that address automated d=
istribution of certificates and private keys to multiple endpoints after re=
newal?

2. Certificate Pinning in Mobile Applications

We maintain mobile applications that implement certificate pinning. Each ti=
me a certificate is renewed, we currently need to build and release a new v=
ersion of the app with the updated pinned certificate. This creates an oper=
ational bottleneck and a window of potential service disruption.

Is there any work being done within the ACME protocol or related specificat=
ions to help coordinate certificate renewal with certificate pinning scenar=
ios? For example, mechanisms to pre-publish upcoming certificate details (s=
uch as public keys or SPKI hashes) ahead of the actual renewal, so that pin=
ning configurations can be updated proactively?

Any guidance, references to relevant RFCs or drafts, or practical experienc=
e the group can share would be greatly appreciated.

Thank you for your time.

Best regards,

Marin Mihajlovi=E6
Software Architect


ASEE SOLUTIONS d.o.o.
+385 95 5541 310 | marin.mihajlovic@asee.io<mailto:marin.mihajlovic@asee.io=
>

asee<https://asee.io>.io<https://asee.io>


[cid:5e89d7c5-74bd-4398-b67f-dcc94aca8bd2]<http://www.linkedin.com/company/=
asseco-south-eastern-europe>  [cid:0a299aec-17a5-4f6f-a955-8c0ea3594a8e] <h=
ttp://twitter.com/Asseco_SEE>   [cid:e2600e21-2e65-4e18-8b2a-a2d6b0c35cc7] =
<https://www.facebook.com/Asseco-SEE-Hrvatska-310088196054642/>

--_000_AS1PR05MB96515D12FA2B11DCE4B2F79D8F592AS1PR05MB9651eurp_
Content-Type: text/html; charset="iso-8859-2"
Content-Transfer-Encoding: quoted-printable

<html>
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Diso-8859-=
2">
<style type=3D"text/css" style=3D"display:none;"> P {margin-top:0;margin-bo=
ttom:0;} </style>
</head>
<body dir=3D"ltr">
<div class=3D"elementToProof" style=3D"font-family: Aptos, Aptos_EmbeddedFo=
nt, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; c=
olor: rgb(0, 0, 0);">
Hello,</div>
<div class=3D"elementToProof" style=3D"font-family: Aptos, Aptos_EmbeddedFo=
nt, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; c=
olor: rgb(0, 0, 0);">
<br>
</div>
<div class=3D"elementToProof" style=3D"font-family: Aptos, Aptos_EmbeddedFo=
nt, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; c=
olor: rgb(0, 0, 0);">
I hope this message finds you well. I'm reaching out to the ACME Working Gr=
oup with two questions regarding challenges we're facing in our certificate=
 lifecycle management, and I'd appreciate any insights, recommendations, or=
 pointers to existing work in this
 area.</div>
<div class=3D"elementToProof" style=3D"font-family: Aptos, Aptos_EmbeddedFo=
nt, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; c=
olor: rgb(0, 0, 0);">
<br>
</div>
<div class=3D"elementToProof" style=3D"font-family: Aptos, Aptos_EmbeddedFo=
nt, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; c=
olor: rgb(0, 0, 0);">
1. Wildcard Certificate Distribution Across Multiple Servers</div>
<div class=3D"elementToProof" style=3D"font-family: Aptos, Aptos_EmbeddedFo=
nt, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; c=
olor: rgb(0, 0, 0);">
<br>
</div>
<div class=3D"elementToProof" style=3D"font-family: Aptos, Aptos_EmbeddedFo=
nt, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; c=
olor: rgb(0, 0, 0);">
We currently use the ACME protocol to automatically renew a wildcard certif=
icate on a single server. However, the same certificate and private key are=
 used for TLS termination on multiple servers. At the moment, we lack an au=
tomated mechanism to distribute
 the renewed certificate and private key to all other servers that depend o=
n it.</div>
<div class=3D"elementToProof" style=3D"font-family: Aptos, Aptos_EmbeddedFo=
nt, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; c=
olor: rgb(0, 0, 0);">
<br>
</div>
<div class=3D"elementToProof" style=3D"font-family: Aptos, Aptos_EmbeddedFo=
nt, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; c=
olor: rgb(0, 0, 0);">
Does the working group have any recommendations or best practices for handl=
ing this scenario? Are there any existing extensions, draft proposals, or c=
ommonly adopted patterns within the ACME ecosystem that address automated d=
istribution of certificates and
 private keys to multiple endpoints after renewal?</div>
<div class=3D"elementToProof" style=3D"font-family: Aptos, Aptos_EmbeddedFo=
nt, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; c=
olor: rgb(0, 0, 0);">
<br>
</div>
<div class=3D"elementToProof" style=3D"font-family: Aptos, Aptos_EmbeddedFo=
nt, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; c=
olor: rgb(0, 0, 0);">
2. Certificate Pinning in Mobile Applications</div>
<div class=3D"elementToProof" style=3D"font-family: Aptos, Aptos_EmbeddedFo=
nt, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; c=
olor: rgb(0, 0, 0);">
<br>
</div>
<div class=3D"elementToProof" style=3D"font-family: Aptos, Aptos_EmbeddedFo=
nt, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; c=
olor: rgb(0, 0, 0);">
We maintain mobile applications that implement certificate pinning. Each ti=
me a certificate is renewed, we currently need to build and release a new v=
ersion of the app with the updated pinned certificate. This creates an oper=
ational bottleneck and a window
 of potential service disruption.</div>
<div class=3D"elementToProof" style=3D"font-family: Aptos, Aptos_EmbeddedFo=
nt, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; c=
olor: rgb(0, 0, 0);">
<br>
</div>
<div class=3D"elementToProof" style=3D"font-family: Aptos, Aptos_EmbeddedFo=
nt, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; c=
olor: rgb(0, 0, 0);">
Is there any work being done within the ACME protocol or related specificat=
ions to help coordinate certificate renewal with certificate pinning scenar=
ios? For example, mechanisms to pre-publish upcoming certificate details (s=
uch as public keys or SPKI hashes)
 ahead of the actual renewal, so that pinning configurations can be updated=
 proactively?</div>
<div class=3D"elementToProof" style=3D"font-family: Aptos, Aptos_EmbeddedFo=
nt, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; c=
olor: rgb(0, 0, 0);">
<br>
</div>
<div class=3D"elementToProof" style=3D"font-family: Aptos, Aptos_EmbeddedFo=
nt, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; c=
olor: rgb(0, 0, 0);">
Any guidance, references to relevant RFCs or drafts, or practical experienc=
e the group can share would be greatly appreciated.</div>
<div class=3D"elementToProof" style=3D"font-family: Aptos, Aptos_EmbeddedFo=
nt, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; c=
olor: rgb(0, 0, 0);">
<br>
</div>
<div class=3D"elementToProof" style=3D"font-family: Aptos, Aptos_EmbeddedFo=
nt, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; c=
olor: rgb(0, 0, 0);">
Thank you for your time.</div>
<div class=3D"elementToProof" style=3D"font-family: Aptos, Aptos_EmbeddedFo=
nt, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; c=
olor: rgb(0, 0, 0);">
<br>
</div>
<div style=3D"font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, =
Calibri, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);">
Best regards,</div>
<div id=3D"Signature" class=3D"elementToProof">
<p class=3D"elementToProof" style=3D"margin: 0cm; font-family: Calibri, san=
s-serif; font-size: 11pt;">
<span style=3D"font-size: 10pt; color: black;"><b>Marin Mihajlovi=E6<br>
</b></span><span style=3D"font-size: 10pt; color: rgb(0, 164, 224);">Softwa=
re Architect<br>
<br>
</span></p>
<p class=3D"elementToProof" style=3D"margin: 0cm;"><span style=3D"font-fami=
ly: Calibri, Helvetica, sans-serif; font-size: 10pt; color: rgb(0, 0, 0);">=
<b>ASEE SOLUTIONS d.o.o.</b></span><span style=3D"font-family: Calibri, san=
s-serif; font-size: 10pt; color: black;"><br>
+385 95 5541 310 | </span><span style=3D"font-family: Calibri, sans-serif; =
font-size: 10pt; color: rgb(0, 0, 0);"><a href=3D"mailto:marin.mihajlovic@a=
see.io" id=3D"OWAe9936075-f751-5cc3-5426-3975cfbec781" class=3D"OWAAutoLink=
" title=3D"mailto:marin.mihajlovic@asee.io" style=3D"color: rgb(0, 0, 0); m=
argin-top: 0px; margin-bottom: 0px;"><b><u>marin.mihajlovic@asee.io</u></b>=
</a></span></p>
<p class=3D"elementToProof" style=3D"margin: 0cm;"><span style=3D"font-fami=
ly: Calibri, sans-serif; font-size: 10pt; color: black;"><u><br>
</u></span><span style=3D"font-family: Calibri, sans-serif; font-size: 10pt=
; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);"><a href=3D"ht=
tps://asee.io" id=3D"OWA596c7bca-5ac9-5e2b-091f-2109d69437d7" class=3D"OWAA=
utoLink" title=3D"https://asee.io" style=3D"color: rgb(0, 0, 0); margin-top=
: 0px; margin-bottom: 0px;"><b><u>asee</u></b></a></span><span style=3D"fon=
t-family: Calibri, sans-serif; font-size: 10pt; color: rgb(41, 164, 229); b=
ackground-color: rgb(255, 255, 255);"><a href=3D"https://asee.io" id=3D"OWA=
edef883f-9a47-7362-de0b-591e71078ddf" class=3D"OWAAutoLink" title=3D"https:=
//asee.io" style=3D"color: rgb(41, 164, 229); margin-top: 0px; margin-botto=
m: 0px;"><b><u>.io</u></b></a></span></p>
<p class=3D"elementToProof" style=3D"margin: 0cm;"><span style=3D"font-fami=
ly: Calibri, sans-serif; font-size: 10pt; color: rgb(0, 164, 224);"><b><br>
</b></span></p>
<p class=3D"elementToProof" style=3D"margin: 0cm;"><span style=3D"font-fami=
ly: Calibri, sans-serif; font-size: 8pt; color: rgb(0, 0, 0);"><a href=3D"h=
ttp://www.linkedin.com/company/asseco-south-eastern-europe" id=3D"OWAb62602=
3c-5ccc-f656-072c-a5941a8d87b7" class=3D"OWAAutoLink" title=3D"http://www.l=
inkedin.com/company/asseco-south-eastern-europe" style=3D"text-decoration: =
none; margin-top: 0px; margin-bottom: 0px;"><img id=3D"image_1" width=3D"13=
" height=3D"13" style=3D"width: 13.5px; height: 13.5px; max-width: 100%; ma=
rgin-top: 0px; margin-bottom: 0px;" data-outlook-trace=3D"F:1|T:1" src=3D"c=
id:5e89d7c5-74bd-4398-b67f-dcc94aca8bd2"></a></span><span style=3D"font-fam=
ily: Calibri, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);">&nbsp;&nbs=
p;<a href=3D"http://twitter.com/Asseco_SEE" id=3D"OWA628a66f6-27b1-a6eb-479=
5-1f992af8b096" class=3D"OWAAutoLink" title=3D"http://twitter.com/Asseco_SE=
E" style=3D"text-decoration: none; margin-top: 0px; margin-bottom: 0px;"><i=
mg id=3D"image_0_dragging" width=3D"13" height=3D"13" style=3D"width: 13.5p=
x; height: 13.5px; max-width: 417px; margin-top: 0px; margin-bottom: 0px;" =
data-outlook-trace=3D"F:1|T:1" src=3D"cid:0a299aec-17a5-4f6f-a955-8c0ea3594=
a8e"></a>&nbsp;&nbsp;<a href=3D"https://www.facebook.com/Asseco-SEE-Hrvatsk=
a-310088196054642/" id=3D"OWA40faaafa-287b-4818-5dc2-3661d7a2d73e" class=3D=
"OWAAutoLink" title=3D"https://www.facebook.com/Asseco-SEE-Hrvatska-3100881=
96054642/" style=3D"text-decoration: none; margin-top: 0px; margin-bottom: =
0px;"><img id=3D"image_0" width=3D"13" height=3D"13" style=3D"width: 13.5px=
; height: 13.5px; max-width: 417px; margin-top: 0px; margin-bottom: 0px;" d=
ata-outlook-trace=3D"F:1|T:1" src=3D"cid:e2600e21-2e65-4e18-8b2a-a2d6b0c35c=
c7"></a></span><span style=3D"font-family: Calibri, sans-serif; font-size: =
11pt;">&nbsp;</span></p>
</div>
</body>
</html>

--_000_AS1PR05MB96515D12FA2B11DCE4B2F79D8F592AS1PR05MB9651eurp_--

--_006_AS1PR05MB96515D12FA2B11DCE4B2F79D8F592AS1PR05MB9651eurp_
Content-Type: image/png; name="Outlook-ybb10pss.png"
Content-Description: Outlook-ybb10pss.png
Content-Disposition: inline; filename="Outlook-ybb10pss.png"; size=1134;
	creation-date="Fri, 10 Apr 2026 11:25:21 GMT";
	modification-date="Fri, 10 Apr 2026 11:25:21 GMT"
Content-ID: <5e89d7c5-74bd-4398-b67f-dcc94aca8bd2>
Content-Transfer-Encoding: base64

iVBORw0KGgoAAAANSUhEUgAAABsAAAAbCAMAAAC6CgRnAAAAAXNSR0IArs4c6QAAAARnQU1BAACx
jwv8YQUAAAHpUExURQAAAKqqqqr/qoC/v6qqqr+/v6qqqqqqv52xsZ+vv5+/v6W0tKexuqqyuaWz
uqG1taSwtqS2vKK0uaGxt6OzuKOtuKOzuKKxuqiyu6azvKOwuaewuaSxtqazu6OwuKOvt6WwuKax
uaSyuaSyvKy5vaexuqavuKixuqa0uqWyuqeyt6WvuaOwuqezuKW0vKayuqezuqayvKaxuqWyuKaz
uae0uqe0uqext6ezuqizuae0uaizuqe0u6i0u6iyuaexuqezuqWxuKWzuqayuai0u6ezuaeyt6ey
uaazuKaxuqe0t6izuaizuaayuqezuaezu6ezuqizuqezuae0uaazuKazuqezuaeyuaazuqa0uqez
uKeyuaazuqayuaexuaazuam0vKezuqWxt6azuqe0uqWzuqWxuaWyuaWzuaeyuKezu6i0u6ayuqez
uaezuqazuaeyuqezuqayuqazuqezuqeyuqezuqe0vKazuaazuqezuqazuqizuqazuqm2vaaxuaay
uaSyuaWyuay3wKezuqazuqezuqezu6izuqi0u6i0vKi1vKm1vKm2vaq2vaq2vqq3vqu3vqu3v6u4
v6y4v6y4wKy5wK25wK25wa26wa67wq+7w6+8w6+8xLC8xLC9xLG9xLG+xrLAx+5v2B8AAACFdFJO
UwADAwQGCAkMDRAQERohJSYqKiwuLzIyNDg5Ojo7PD1AREVJTE1OU1VcYGBjZGVmZ2hqdnd5en1/
goeLjI6PkpOTlJSVlZaZnJ2go6SlpqioqqqrsLS1tre4uLy9v8DFyMzU1dba3uHh4+Xn5+nq6u3u
7u/v8PPz8/T09ff4+vr8/P39/f4dgbgUAAAACXBIWXMAABcRAAAXEQHKJvM/AAABfUlEQVQoU5WR
5VPDMBiHX9xdBwx3dx/u7u7uUNydQrfSrbQwysqQv5SwZjsmX3jukkt+T3K5vC845k0vzFuzOJVu
DxlqjraF9jwWegXSNvoSGGLx2hJBAQO/jvl4lYI/COUGxxwOzqpxZEJyjwdpzl7jz/c4xEhOO+MB
kM8qcYiRHLseBU7tLxQOKWmB39MsNYwqKVIjiiLDCvyr4Zjk6JP+tpaxK2auo6tzY6WpqHRS/Wh0
zxuBAEkXYq2dg11xNAC4V96oTM4fIPFCX4ViVzQA3Ca0D2b39PW/sW+8J5oLeMraxax+97kAxDEq
c1eHXPPX22YwQCRDm7n3GuR6dPxuBIDcwonVyHXo+O3wf7lLscKWW/MBSLgUy5Br1fFbQQAhRsfu
pITLCq+FbplcNqJl97JDZTk0/h95u7dNHN9Rp8QucYZ2+wRxZKjn8BOqOctxDEnSHMfRaKfhOQ1J
vimg8dPYN3Oor1wIW9bpUd+smfUDCEjNyrRBsjf8ADQGHZR4lSCIAAAAAElFTkSuQmCC

--_006_AS1PR05MB96515D12FA2B11DCE4B2F79D8F592AS1PR05MB9651eurp_
Content-Type: image/png; name="Outlook-xumvbf3f.png"
Content-Description: Outlook-xumvbf3f.png
Content-Disposition: inline; filename="Outlook-xumvbf3f.png"; size=1060;
	creation-date="Fri, 10 Apr 2026 11:25:21 GMT";
	modification-date="Fri, 10 Apr 2026 11:25:21 GMT"
Content-ID: <0a299aec-17a5-4f6f-a955-8c0ea3594a8e>
Content-Transfer-Encoding: base64

iVBORw0KGgoAAAANSUhEUgAAABsAAAAbCAMAAAC6CgRnAAAAAXNSR0IArs4c6QAAAARnQU1BAACx
jwv8YQUAAAHsUExURQAAALa2tqKiuaextqestai2uaezuKWyuqSxuaW0vKi0vKa1vKWzuaWxuaay
uaWzuaayuKe0uqWzuaexuaWyuaWzuqSyuaWxuaezuqezvKiyuqazuaeyuqi0u6eyu6ezupupsaCt
tKGttaGutaKutqKvtqOwt6Swt6SwuKSxuKWxuKWxuaWyuaaxuaayuaayuqeyuaezuqezu6izuqi0
uqi0u6i1vKm1vKq1vKq2vKq2vaq3vqu2vau3vqu3v6u4vqy3vay3vqy4vqy4v624v625wK64v665
v665wK66wq67w6+5v6+5wK+7w6+8w7C6wLC6wbC7wbC8xLK9w7O9xLO+w7S+xLW/xbXAxbbAxrfB
xrrDybrEybvEybvEyr3Fyr3Gy77GzMDJzsHJzsLKz8PLz8TM0MTM0cXM0cXN0cbO0snQ1MrR1cvR
1szT187U2M7V2c/W2dHW2tHW29PZ3NXb3tbb39bc39fc39ne4dnf4trf4tvg4tvh5Nzh49/j5eDk
5uDk5+Dl5+Lm6OPn6Obp7Obq6+fr7ens7uvt7+vu8Ozu8Ozv8O3v8O3w8O7w8e/x8u/x8/Dx8/Hy
8/Hz8/Hz9PL09PP19vX29/b29/b39/j5+vn5+vr7+/v7+/z8/P39/f7+/v///v///5fvdA8AAAAg
dFJOUwAHCzE3SVpgYmZmZ3yAh5bD1Njc3t7h4ePj5ebp7fb9HZ6sOQAAAAlwSFlzAAAXEQAAFxEB
yibzPwAAAZVJREFUKFNt0fdb1DAYwPEgIAjIFBCV3avX3BEM0DuRPQRkyHYAynAwHGxkI0NlqCzR
Yynl/UdJ27eAHN9fkiefJu2TkiuhkTHR3sVGhPiQsIIH7svKL7lOEtz88nKiCM6smGJXnGJI565b
JFFfMNdFCq1vaVbtlOfec93UTc2zkJZ/2tr9M/+k4l2Z0zC5bbLMZhDLngO9jeXxogxVt5T3sPTM
LlPGpe4j0EQAX16mGSb1AHhGO0qplDRikAZ/PyjcONNZuirOOdyceFM3jrZTS03jtq49ONbf4/EY
pMHPQrS7Tz9+x+fNQYNv2Q60pt+4ZgUTjOGZ8uuD/xF6JY7GHK/WrOP04EeVcmrsxcp5Ou6XxUWY
xlnF2L8zhOVqsc0y7qDtXzVU+NWib0NzylJy8YxpAOttBhnG1Od9w7PbKEcLjSbhvsaBFf1WRPuL
b91IaIze7xyanv88NdjK5NP/bH0Ls6VSNYumnomwOJKBUybCqZnrNrnxEOcXynwUTq7G1zQ89q6h
8o4/IX6Bwde8CwrwJSc92OIbksx9pgAAAABJRU5ErkJggg==

--_006_AS1PR05MB96515D12FA2B11DCE4B2F79D8F592AS1PR05MB9651eurp_
Content-Type: image/png; name="Outlook-jnk01e0m.png"
Content-Description: Outlook-jnk01e0m.png
Content-Disposition: inline; filename="Outlook-jnk01e0m.png"; size=1008;
	creation-date="Fri, 10 Apr 2026 11:25:21 GMT";
	modification-date="Fri, 10 Apr 2026 11:25:21 GMT"
Content-ID: <e2600e21-2e65-4e18-8b2a-a2d6b0c35cc7>
Content-Transfer-Encoding: base64

iVBORw0KGgoAAAANSUhEUgAAABsAAAAbCAMAAAC6CgRnAAAAAXNSR0IArs4c6QAAAARnQU1BAACx
jwv8YQUAAAGbUExURdre4aKvt6ezuqOvt6e0uqi0u6GutqSwuKe0u5+rtKawt7O4vaixuJ2qs7G4
vdrb3fHy8vf29fP09OPo6aOwt6Svt6Gutba9wvTz8/////P19qKwt6Swt6OwuKiwt+3s6/P19aiz
upyrs73Fzf///vf29u3s7PDv7ubl5aiyt5ypsc7U2Ovu76qwuqWtt6myvKiyuqSzuaayup+qs93d
3dbZ3ZSmrqCutqKwuKWyup6qtNzc3Z2qsqm0u6ayuZ2rs5ypspWiq9HW2NPX25ShrJyqsqKvtrC3
vcvR1M3S1snN0erq6ujp68fM0czS1s/U173EyKSvuJ6stbu+wv/+/NfX25qksai1uqi0up+ttbi8
wfz6+srMz5yrtae0uaezubq/xf///LnBxp6rs663vNDU2NPW287S1uns7evt7s7T19LW29HV2ay4
vqSxuZyrtJupspeiq9TX2dPY25Ofq5yps56ss6OyuJ6ptN3c3KCqsdvb29fa3Z+qstva26SyuZyq
ttzc3J6qs9zb26WyuZyqtdva2p2qtQAAAGUroq8AAACJdFJOU///////////////////////////
////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////
//8A0YG4uAAAAAlwSFlzAAAXEQAAFxEByibzPwAAAUlJREFUKFNtkj1uwzAMRnWHTJlaIIPagYMB
gWfIlAPYGnoBTi4yZPLUc/d7lNN6iCUIMj89/kmlbRH2cpZiYVu8HoVFU0f21cLNc1/Yh6bnRsNt
5l+z2CTfj2Cf69zqstQqVNzGoYeopOflzPcuN6ZcsJlUVyyrKZ2X8Ekcgt0zbfcLQq21yf8G9whJ
5DH7FcnkAYJ4ZK+YuP2QtlIDruA8PnGpfLxJa5mbqiYeQCruP9Ju36pRxx0Or9Br72/E6+16cZVN
vIH5LPvzk1+0UbYcH7VOR9XP6S5O42u3881kis+BWvS1n2Sv/bbKNLhsmDTlSQ3kyVFxHhNXke3M
GjKPEU8WCpAsGm7lB19ZewZMbvQFLOtLjouQ4cDprew94yL+uQ2QfnJo2j3vWtp4L5xBOXC7RW+Q
Amy8pj+OLKycss/Sj3mqKxbtF9mT3bJeMQm0AAAAAElFTkSuQmCC

--_006_AS1PR05MB96515D12FA2B11DCE4B2F79D8F592AS1PR05MB9651eurp_--

