[Acme] draft-aaron-acme-ari
Michael Richardson <mcr+ietf@sandelman.ca> Wed, 29 September 2021 18:33 UTC
Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A5AF83A098A for <acme@ietfa.amsl.com>; Wed, 29 Sep 2021 11:33:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aJpnKKLKZvSS for <acme@ietfa.amsl.com>; Wed, 29 Sep 2021 11:33:05 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 50B133A0984 for <acme@ietf.org>; Wed, 29 Sep 2021 11:33:05 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id 52F9F1819E for <acme@ietf.org>; Wed, 29 Sep 2021 14:40:45 -0400 (EDT)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with LMTP id BxrmwuJydo34 for <acme@ietf.org>; Wed, 29 Sep 2021 14:40:40 -0400 (EDT)
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id 355DE18037 for <acme@ietf.org>; Wed, 29 Sep 2021 14:40:40 -0400 (EDT)
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id E52EDA0 for <acme@ietf.org>; Wed, 29 Sep 2021 14:32:56 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: acme@ietf.org
X-Attribution: mcr
X-Mailer: MH-E 8.6+git; nmh 1.7+dev; GNU Emacs 26.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Wed, 29 Sep 2021 14:32:56 -0400
Message-ID: <24511.1632940376@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/XIgSUy05aG65HgkSUdJ-7ykmKD0>
Subject: [Acme] draft-aaron-acme-ari
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Sep 2021 18:33:11 -0000
I have read draft-aaron-acme-ari. I support adoption of the document. The problem statement is well founded, but I'm surprised at the solution. I am surprised that it's not something that is inside the certificate. An in-certificate hint would be useful in RFC7030 situations for IoT networks, particularly when a CA rollover is expected soon. I am also not thrilled about the online assumptions about this process. I guess the point is that the ACME server does not need to commit to a particular schedule. I am also concerned about privacy implications here. dns-01 challenges for instance, don't have to reveal the location of the end server, but I suppose any indirection for obtaining certificates can also do the polling of this renew directly. One bit that confused me: > Conforming servers MUST provide the renewalInfo resource via POST-as-GET; > they SHOULD provide it via unauthenticated GET as well. Conforming clients > SHOULD use unauthenticated GET to request renewalInfo resources. Generally, if you write SHOULD, then there are some exceptions that are possible, even if unlikely. What are they? If conforming clients are supposed to use unathenticated GET, why is support for that only SHOULD? I guess clients MUST also support POST-as-GET, at which point, why wouldn't clients just get code for that choice? -- Michael Richardson <mcr+IETF@sandelman.ca> . o O ( IPv6 IøT consulting ) Sandelman Software Works Inc, Ottawa and Worldwide
- [Acme] draft-aaron-acme-ari Michael Richardson