IETF Logo Mail Archive

Re: [Acme] ARI: Indication if certificate will be revoked

Corey Bonnell <Corey.Bonnell@digicert.com> Wed, 22 March 2023 17:56 UTC

Return-Path: <Corey.Bonnell@digicert.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7BE02C15C28D for <acme@ietfa.amsl.com>; Wed, 22 Mar 2023 10:56:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.097
X-Spam-Level:
X-Spam-Status: No, score=-7.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=digicert.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o8bbFkMeeeBR for <acme@ietfa.amsl.com>; Wed, 22 Mar 2023 10:56:02 -0700 (PDT)
Received: from NAM10-BN7-obe.outbound.protection.outlook.com (mail-bn7nam10on20728.outbound.protection.outlook.com [IPv6:2a01:111:f400:7e8a::728]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9DFB9C14F6EC for <acme@ietf.org>; Wed, 22 Mar 2023 10:56:02 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=JgUKqUuJ656CJ3GVjTuib6IcwrSldPMYEjwk+pQb/dqf3zKFbJu6ZB+kgwTsbC1K4Ays1C3whvHgQGm6/jfa6YGbde/a1XZwxaYHModiSAGJIVF9nW9fS1SvQBHSQSjBA1ygSLm5GGF/TekP9T4ilQa75BaNqW9/OrC8HGgevMnO0TPyPXBne18Rt5jG5QO5XO6hBC/YeX92icQtvxwLNK+HLuD+jn4UtCe21ACDoTQMl6jI7APPq9L0SKALYD965VSkRabmPR4G85ggAln93MZ1mWbqtUh6LKNaQw2Oyb4yE3kjxul9OzmfnrFAz9KKbZONsxbIwejTiS4MMKzc+w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=+a7mWjDyoVoah2OuO4NFQQNVkGa99x9mFcD52VY4j0E=; b=k8zHgWvnDGUqweKRs1WtBX0h/VMuI33shZqEIfPRe6T2ky3jYChRIMRltvUVdzQ+qo+SY5GBKxDOS+Z5y7q1qXQBYu+EVehawJoHPqbm/S4YN5QXDTHqAIu/qjVEBieaieHbTfiS47Q2v0+LQ3J6PXqf406w1iSN4BoKpFogywhZDvY1+acMJqEHLfNFRGG/sqZZcDoNXrVtZAza0t/HJlgNGcgvy5QNkZW0e0Vwf8zpeezIVSJz5O0MRewHox+fp1SSe3m96HHnzJnGda6ZJmVDYHkZLaGH7uQj+eoRl97xkPgpKxpqb/GLSxWxSs3U/CFvv9W2MatX88gZN//fEg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=digicert.com; dmarc=pass action=none header.from=digicert.com; dkim=pass header.d=digicert.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digicert.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=+a7mWjDyoVoah2OuO4NFQQNVkGa99x9mFcD52VY4j0E=; b=hqd+6zAf7QwbUM+w/fghqRyzrLz9iVnAFbrA9ZLKxjVlVPIka+l6xfMevkYo+3rV35I4vZZdAs2AUUoqB1GCFwXpYdNTPukpGGu8v7LW6wnvc3DOEPtQNbhh8r15KDRp82Uplzpun/Ph4nkYrnt+fn79d+EBPt2bewHLpY+plZTQisIv0MQtYj0fcmTWMBFzKFheUJHOq4P3uh14157P2kP/UqUAOpOj0/ixSnyt0m2Bloo3s0CwPZ4l71QjfqjzHvNiBIHuR2ZG055NCT0p3dhka5uRAcBACdF38f9V0iuzOkcGHtlu6E0yBxA7j4H4UsWrQcmVfwwd8EU7f9jKnw==
Received: from DM6PR14MB2186.namprd14.prod.outlook.com (2603:10b6:5:b6::16) by BL0PR14MB3682.namprd14.prod.outlook.com (2603:10b6:208:1c9::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6178.37; Wed, 22 Mar 2023 17:55:59 +0000
Received: from DM6PR14MB2186.namprd14.prod.outlook.com ([fe80::690a:c354:fd5:aad5]) by DM6PR14MB2186.namprd14.prod.outlook.com ([fe80::690a:c354:fd5:aad5%6]) with mapi id 15.20.6178.037; Wed, 22 Mar 2023 17:55:59 +0000
From: Corey Bonnell <Corey.Bonnell@digicert.com>
To: Andrew Ayer <agwa@andrewayer.name>, "acme@ietf.org" <acme@ietf.org>
Thread-Topic: [Acme] ARI: Indication if certificate will be revoked
Thread-Index: AQHZXMuhKQnI+w7Iz0yzU/B+rYwgz68HEINw
Date: Wed, 22 Mar 2023 17:55:59 +0000
Message-ID: <DM6PR14MB2186F5867BDDAB1394F2A23492869@DM6PR14MB2186.namprd14.prod.outlook.com>
References: <20230322103538.975d953c92be1463f2347a4e@andrewayer.name>
In-Reply-To: <20230322103538.975d953c92be1463f2347a4e@andrewayer.name>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=digicert.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: DM6PR14MB2186:EE_|BL0PR14MB3682:EE_
x-ms-office365-filtering-correlation-id: 264df0ea-42fc-4ea3-0501-08db2afeb199
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: +0HXJYYdddCjbjvG27wj5tvoN5eZFDD82tc1RymqKfrg1j0ufhSboikL4Ziac1XAMOeUDwRbLFQtiFeX0wZU9qzK/qLc//iYkD89xy+D38VNbjB3ujVgwcefaaj4txJdk5yc7hDsRHNNYDF+4jwC56HejTg7/tFqyScBLeUXrEFmRLL9J+X8psLwAp9lRy1CdfzUgw/b29ubatGiWWyVUapjUtQA1N/qVIfqAHrrxN4TIa+YqNftUM1VUOQmWhzxkfwiLastImiB2//iuCIj+OUgTBnGJ9rt9Mh7yG2YbW+eJE4dzpUqIjQX2C6iDQN9tKRSvtWx33gWohcHOb6jx+qyANi8qm2VQfAWdu9s7GP1tV+PNl+r9NF+WRtbUrOsaUw53b3zVy0XGvbjYxe6b7DobHe6TyWduvDzGiYzQ+yHUNCn6hjhBl/Yk7G0v3HddKSiljafBNtBFQUgox2KdGoU89JYcVFhYR/0ffy21ZhTxthj1ENcEjlgThjEEVqa2nwCh/4yxtHKWQDYnMOEBs9sWPThuXusCCZ/cQPFS7gfjGL0JtcFpgNvSrvNsxPyYDbZTv2+YdSmrX9GRMjU6LjHH8ZTEU0j5rJIMGknhv1sDM0RJACxT2KrU+FfwzPPqRzW9vFS5XeQuRnU/bAFOhmZRQob21ms7OWGFiO1EHDqZvdO4sE4THFhY5nr+Eta
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM6PR14MB2186.namprd14.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230025)(4636009)(39850400004)(376002)(136003)(346002)(396003)(366004)(451199018)(186003)(9686003)(7696005)(966005)(478600001)(26005)(6506007)(71200400001)(83380400001)(8676002)(53546011)(110136005)(316002)(66556008)(66446008)(66476007)(66946007)(76116006)(64756008)(52536014)(8936002)(5660300002)(41300700001)(99936003)(122000001)(2906002)(38100700002)(55016003)(86362001)(33656002)(38070700005); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: xuZ+ddBGZRk4CsmS32cLI2j8YZMAntKqbea6Raup4/FsLY8JyzOjOP0O+bp1bMVQUQCkqGctbEu0Es09DCMOiS8M/KBbTGJz5ZWqMCIJk9FQUC7Q5zQsz9l31CHq7+39qDiV0UShlkpNhhivXoBRgugr3aHBu/o1yXPr70Q4jv5FrB/IiSFKR135/SLgbeyyeFEsg48W0tdLgxEqmaTWPLy4GGZOcf02RSsDY2CpKMAYBteghOsM4dlUT7RXqFYNnetbSut2tRDKw+EokuToO41C8qXegFLkZwIZaX9vmNcSBRZRmvZ+eWJtVILsNsTxLLp/ipDYBceB/mMjsxpaKufx8aRkc9okXRPQ0KcUcYZYhh69TXlYBWjRlB2HEcbgjGsMyKoLNtnFh1cKW+6JXfEG08MJ9GceoJEjzPmEI/pd2lrlmbiljq64WGVqoHUd/6Yvb+oN201Qf3THhbwGJxL+Pk/XUWgdbNACeIWIa5e5L0qyjrVA5wH/uwm5vumsD7bcyU38j5ayjUZsdDnH0NRiqjhH6Fqwmv5cujlf7NBHuorHI9wchZM37hd6oPLl2njJx/J5mhm179ofs5kNYJqL1DT3OuaPvkJniJB06SfL3ZqkRta6nNtMUtIEzg7hdrDcbxo5pteHE89PiDrNBvE5BK8zOr8YINUmssa0XqY68IMier3Mti7Lyh2P+Sx6kUgWyOsOHx9ZCvAYfYH26/nOr3zPfCthi6X9yyTVhhAGwLc6Mb2bsYpm2p/VspajzgM7eJn3ZIa6lctSQ6eKHxD6oFdwbqSxjPqBekADLUbXprXrgRImyUEOvxzTBLs44BVCOAeOI05Od+7totIvkgowccIQffgDsCr7sf9RSssdPQ8CZV3D+RNXq1PEROzGrFv+5Z3oydH6N+sS5qkmQRUgDNvS+a/qnKsICtxK9VnNfWFrkVK6zSGI9oG/rRXFiz6T6MVaNlTPqvW8rg9unc+xTEfPG2MumQfUw058Z4TOAkKp1910xqy0+p8jxY5VJeMF4fzeqPvd6b98fQGCM+PT40n8URDTlz8cCz9PHhGA92cM54wzEJl3vfITYkqOLEw65MHRFQFuTskX72VlY2VjJC1SaK4dyUVi2yI8WL27sFtENPsSht7jL2i8Fr+OgmJa4JNFYK5aFRXCWC1nP9dInR9/gw6KUqEI8rkRJEnojkKjCrk9oodH/MukiPJoSzXJ+ZmGhdEuuVEm3r03FzPa/iQ81+Ss4ZUuxrxEe9VIQ8K6mnRISqv8iPwr8Zw75QW7x074awxJmL3Dj7tTpBs99L5EpxE7QQCDWxOam/A1oTUEE410ROzdYVihCvQaO4Cq5SUA20FjJ5v+j7zv69htJFv6zvJV8D0/PGL4XBo5iBABygYsJXkA6cX7uYI7r9ndeZS+7Cp/qrYUTxaR52c8u1IAs1qjBWD8VHb9C7JqQ0j0Z+0oJOTbOctXM9KUNv/9gipxoyqgqZm3LykuURqwik1YOLTakSjzJ74Gu7utExkiDEaA2lYNVjV2W9HYj1HLhoSCMhbWyiESZFcl3EsBKUgbcbjA5dGpYI6H/YG9qIMjfgcdpl3IY/iOG7fE
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="2.16.840.1.101.3.4.2.1"; boundary="----=_NextPart_000_003C_01D95CC6.01F00F10"
MIME-Version: 1.0
X-OriginatorOrg: digicert.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DM6PR14MB2186.namprd14.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 264df0ea-42fc-4ea3-0501-08db2afeb199
X-MS-Exchange-CrossTenant-originalarrivaltime: 22 Mar 2023 17:55:59.2556 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: cf813fa1-bde5-4e75-9479-f6aaa8b1f284
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 0n38+4uHUpcC3kwa4NqtvSnLeB4mtGch1vmmG+SHdrPoVyJs6p/dgfT0p6jZ3gsgXPpgUKnCHpUi/mKXpG0M6RgIGSZTmcKr3B9oxbjoBdY=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL0PR14MB3682
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/b6jZSPG3_uzTmevXlGxUE3k05wI>
Subject: Re: [Acme] ARI: Indication if certificate will be revoked
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Mar 2023 17:56:06 -0000

Hi Andrew,
Is the purpose of the "revocationTime" field such that ACME client behavior
would be different than the recommended replacement time-selection algorithm
in section 4.1, or is it to provide richer metadata about the pending
replacement window that is potentially human or machine-readable?

If the former, I'd be interested to hear how you think the time-selection
algorithm should be modified to incorporate the information conveyed in that
field. My first thought is that ACME client behavior will be the same
regardless of the field value, but I very well may be missing something.

If the latter, I'm wondering if we could consider defining a RFC 7807-style
"problem document" format that would provide fuller information that is both
human- and machine-readable. The "explanationURL" field as it currently
exists in the draft might be useful for conveying human-readable
information, but defining a fuller representation of replacement-related
metadata would also allow machine-readable information to be conveyed.

Thanks,
Corey 

-----Original Message-----
From: Acme <acme-bounces@ietf.org> On Behalf Of Andrew Ayer
Sent: Wednesday, March 22, 2023 10:36 AM
To: acme@ietf.org
Subject: [Acme] ARI: Indication if certificate will be revoked

I'm working on adding an ARI client to a certificate monitoring service to
notify users when one of their certificates is scheduled to be revoked.
Unfortunately, ARI doesn't currently convey whether the suggestedWindow is
mandatory (because the certificate is going to be
revoked) or merely advisory.

I had previously thought that an end time that was earlier than the
certificate's expiration would indicate an upcoming revocation, but it
appears that Let's Encrypt's ARI endpoint routinely specifies an end time
that is ~30 days earlier than the certificate's expiration.

I propose that the renewalInfo object contain a nullable field called
revocationTime which specifies the time the certificate is going to be
revoked, if applicable.

Regards,
Andrew

_______________________________________________
Acme mailing list
Acme@ietf.org
https://www.ietf.org/mailman/listinfo/acme

v2.23.0 | Report a Bug | By Email