Re: [Acme] I-D Action: draft-ietf-acme-ari-03.txt

Carl Wallace <> Mon, 26 February 2024 12:36 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 54051C14F6A5 for <>; Mon, 26 Feb 2024 04:36:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -7.106
X-Spam-Status: No, score=-7.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id rc65DkaEX08g for <>; Mon, 26 Feb 2024 04:36:08 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4864:20::92c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by (Postfix) with ESMTPS id 1CB96C14F5FC for <>; Mon, 26 Feb 2024 04:36:07 -0800 (PST)
Received: by with SMTP id a1e0cc1a2514c-7da6e831972so477940241.3 for <>; Mon, 26 Feb 2024 04:36:07 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=google; t=1708950966; x=1709555766;; h=content-transfer-encoding:mime-version:in-reply-to:references :thread-topic:message-id:to:from:subject:date:user-agent:from:to:cc :subject:date:message-id:reply-to; bh=/dWP/eM1vOly28To1XUZ/1WXIwMVqVsc+Go92tUVdGI=; b=cqohL0W0/N9YHWJbdmVPPADKH5Hy5uji/j7y37QbAJLPH0oiuxL6H4NqyB/Y+87N3K 60p+8dI/q3y8D+lfdYhF45E12Y0B1Pa4nXh/sdFGDFbsIP8cDrOJWSR2h9PKUIIQ8RpT TZ92BABwY8Tm+r3Sh0b2tgcG+uFOqY+Opg3xA=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20230601; t=1708950966; x=1709555766; h=content-transfer-encoding:mime-version:in-reply-to:references :thread-topic:message-id:to:from:subject:date:user-agent :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=/dWP/eM1vOly28To1XUZ/1WXIwMVqVsc+Go92tUVdGI=; b=QwztcWA3Bs0cl8PN4qJCQ1WeiekdiiVObaZYyy6uChDPaRcXpQ+dHsWz0vBqInpsn6 NtZgZLx/SQeoTyXxr/QfZJqGj04v4EMPqRNddVPUT0z99pU77lk+tUA3MUn9usP1vbke Nt01BaqBE2LePLqbLL23qCrX7bZ87o9Q+AcGsL+9toJoPfRN85jX9J79ekEg18Gb+6Qk AOZQ+2RaoqxcaEsSR0M8PqgBEUPfSAYLCSdnwlA514X8aunGPA1SHrRaMkFNYoZ/Ui00 byfjfxBUQq2F+V4I0CAX+6jeywNL8YeGgRiL3O0V4/3ylUTipMrr7i/jLYdpRLqSWuHQ qCxA==
X-Gm-Message-State: AOJu0YwitfWRsSR5pSR1awBeqgkrrsivEDmFez0ilh5c5T8QCWSV/eGP wCUHQwX43xe+9HdrOb9AIbZ6EoJLYyZqtmbT1fKyC5scSkU2T+8gv/WQaObBedqZBQM1mUqpVp7 c
X-Google-Smtp-Source: AGHT+IEjPjyjw/x+PAlnnFegDw5c13/eHPO1yfJ03MslgpTMZ+BD5LGgh9aMxNk9tXIvOVOPMPkFSg==
X-Received: by 2002:a05:6102:3d06:b0:471:fb9f:443c with SMTP id i6-20020a0561023d0600b00471fb9f443cmr779154vsv.20.1708950965947; Mon, 26 Feb 2024 04:36:05 -0800 (PST)
Received: from [] ( []) by with ESMTPSA id d21-20020ac847d5000000b0042c5512c329sm2393505qtr.17.2024. for <> (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 26 Feb 2024 04:36:04 -0800 (PST)
User-Agent: Microsoft-MacOutlook/16.82.24021813
Date: Mon, 26 Feb 2024 07:36:04 -0500
From: Carl Wallace <>
Message-ID: <>
Thread-Topic: [Acme] I-D Action: draft-ietf-acme-ari-03.txt
References: <>
In-Reply-To: <>
Mime-version: 1.0
Content-type: text/plain; charset="UTF-8"
Content-transfer-encoding: quoted-printable
Archived-At: <>
Subject: Re: [Acme] I-D Action: draft-ietf-acme-ari-03.txt
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Automated Certificate Management Environment <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 26 Feb 2024 12:36:12 -0000

Two comments on the third paragraph of section 4.1:

- The addition of section identifiers for the references makes the sentences harder to read. Maybe wrapping the section identifiers and reference in parentheses.
- The preparation of the URI uses the keyIdentifier field of AuthorityKeyIdentifier. That field is optional. What should occur if it is absent (or if AKID is absent)? Given 5280 requires uniqueness for issuer name and serial and the issuer field is not optional, would the issuer field make for a better target than AKID? If this mechanism only applies to certs that conform to a profile that requires presence of key identifier in the AKID extension, state that up front.

´╗┐On 2/8/24, 4:01 PM, " <> on behalf of <>" < <> on behalf of <>> wrote:

Internet-Draft draft-ietf-acme-ari-03.txt is now available. It is a work item
of the Automated Certificate Management Environment (ACME) WG of the IETF.

Title: Automated Certificate Management Environment (ACME) Renewal Information (ARI) Extension
Author: None
Name: draft-ietf-acme-ari-03.txt
Pages: 10
Dates: 2024-02-08


This document specifies how an ACME server may provide suggestions to
ACME clients as to when they should attempt to renew their
certificates. This allows servers to mitigate load spikes, and
ensures clients do not make false assumptions about appropriate
certificate renewal periods.

The IETF datatracker status page for this Internet-Draft is: <>

There is also an HTML version available at: <>

A diff from the previous version is available at: <>

Internet-Drafts are also available by rsync at:

Acme mailing list <> <>