Re: [Acme] ARI: Indication if certificate will be revoked
Corey Bonnell <Corey.Bonnell@digicert.com> Wed, 22 March 2023 17:56 UTC
Return-Path: <Corey.Bonnell@digicert.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7BE02C15C28D for <acme@ietfa.amsl.com>; Wed, 22 Mar 2023 10:56:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.097
X-Spam-Level:
X-Spam-Status: No, score=-7.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=digicert.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o8bbFkMeeeBR for <acme@ietfa.amsl.com>; Wed, 22 Mar 2023 10:56:02 -0700 (PDT)
Received: from NAM10-BN7-obe.outbound.protection.outlook.com (mail-bn7nam10on20728.outbound.protection.outlook.com [IPv6:2a01:111:f400:7e8a::728]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9DFB9C14F6EC for <acme@ietf.org>; Wed, 22 Mar 2023 10:56:02 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=JgUKqUuJ656CJ3GVjTuib6IcwrSldPMYEjwk+pQb/dqf3zKFbJu6ZB+kgwTsbC1K4Ays1C3whvHgQGm6/jfa6YGbde/a1XZwxaYHModiSAGJIVF9nW9fS1SvQBHSQSjBA1ygSLm5GGF/TekP9T4ilQa75BaNqW9/OrC8HGgevMnO0TPyPXBne18Rt5jG5QO5XO6hBC/YeX92icQtvxwLNK+HLuD+jn4UtCe21ACDoTQMl6jI7APPq9L0SKALYD965VSkRabmPR4G85ggAln93MZ1mWbqtUh6LKNaQw2Oyb4yE3kjxul9OzmfnrFAz9KKbZONsxbIwejTiS4MMKzc+w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=+a7mWjDyoVoah2OuO4NFQQNVkGa99x9mFcD52VY4j0E=; b=k8zHgWvnDGUqweKRs1WtBX0h/VMuI33shZqEIfPRe6T2ky3jYChRIMRltvUVdzQ+qo+SY5GBKxDOS+Z5y7q1qXQBYu+EVehawJoHPqbm/S4YN5QXDTHqAIu/qjVEBieaieHbTfiS47Q2v0+LQ3J6PXqf406w1iSN4BoKpFogywhZDvY1+acMJqEHLfNFRGG/sqZZcDoNXrVtZAza0t/HJlgNGcgvy5QNkZW0e0Vwf8zpeezIVSJz5O0MRewHox+fp1SSe3m96HHnzJnGda6ZJmVDYHkZLaGH7uQj+eoRl97xkPgpKxpqb/GLSxWxSs3U/CFvv9W2MatX88gZN//fEg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=digicert.com; dmarc=pass action=none header.from=digicert.com; dkim=pass header.d=digicert.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digicert.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=+a7mWjDyoVoah2OuO4NFQQNVkGa99x9mFcD52VY4j0E=; b=hqd+6zAf7QwbUM+w/fghqRyzrLz9iVnAFbrA9ZLKxjVlVPIka+l6xfMevkYo+3rV35I4vZZdAs2AUUoqB1GCFwXpYdNTPukpGGu8v7LW6wnvc3DOEPtQNbhh8r15KDRp82Uplzpun/Ph4nkYrnt+fn79d+EBPt2bewHLpY+plZTQisIv0MQtYj0fcmTWMBFzKFheUJHOq4P3uh14157P2kP/UqUAOpOj0/ixSnyt0m2Bloo3s0CwPZ4l71QjfqjzHvNiBIHuR2ZG055NCT0p3dhka5uRAcBACdF38f9V0iuzOkcGHtlu6E0yBxA7j4H4UsWrQcmVfwwd8EU7f9jKnw==
Received: from DM6PR14MB2186.namprd14.prod.outlook.com (2603:10b6:5:b6::16) by BL0PR14MB3682.namprd14.prod.outlook.com (2603:10b6:208:1c9::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6178.37; Wed, 22 Mar 2023 17:55:59 +0000
Received: from DM6PR14MB2186.namprd14.prod.outlook.com ([fe80::690a:c354:fd5:aad5]) by DM6PR14MB2186.namprd14.prod.outlook.com ([fe80::690a:c354:fd5:aad5%6]) with mapi id 15.20.6178.037; Wed, 22 Mar 2023 17:55:59 +0000
From: Corey Bonnell <Corey.Bonnell@digicert.com>
To: Andrew Ayer <agwa@andrewayer.name>, "acme@ietf.org" <acme@ietf.org>
Thread-Topic: [Acme] ARI: Indication if certificate will be revoked
Thread-Index: AQHZXMuhKQnI+w7Iz0yzU/B+rYwgz68HEINw
Date: Wed, 22 Mar 2023 17:55:59 +0000
Message-ID: <DM6PR14MB2186F5867BDDAB1394F2A23492869@DM6PR14MB2186.namprd14.prod.outlook.com>
References: <20230322103538.975d953c92be1463f2347a4e@andrewayer.name>
In-Reply-To: <20230322103538.975d953c92be1463f2347a4e@andrewayer.name>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=digicert.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: DM6PR14MB2186:EE_|BL0PR14MB3682:EE_
x-ms-office365-filtering-correlation-id: 264df0ea-42fc-4ea3-0501-08db2afeb199
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: +0HXJYYdddCjbjvG27wj5tvoN5eZFDD82tc1RymqKfrg1j0ufhSboikL4Ziac1XAMOeUDwRbLFQtiFeX0wZU9qzK/qLc//iYkD89xy+D38VNbjB3ujVgwcefaaj4txJdk5yc7hDsRHNNYDF+4jwC56HejTg7/tFqyScBLeUXrEFmRLL9J+X8psLwAp9lRy1CdfzUgw/b29ubatGiWWyVUapjUtQA1N/qVIfqAHrrxN4TIa+YqNftUM1VUOQmWhzxkfwiLastImiB2//iuCIj+OUgTBnGJ9rt9Mh7yG2YbW+eJE4dzpUqIjQX2C6iDQN9tKRSvtWx33gWohcHOb6jx+qyANi8qm2VQfAWdu9s7GP1tV+PNl+r9NF+WRtbUrOsaUw53b3zVy0XGvbjYxe6b7DobHe6TyWduvDzGiYzQ+yHUNCn6hjhBl/Yk7G0v3HddKSiljafBNtBFQUgox2KdGoU89JYcVFhYR/0ffy21ZhTxthj1ENcEjlgThjEEVqa2nwCh/4yxtHKWQDYnMOEBs9sWPThuXusCCZ/cQPFS7gfjGL0JtcFpgNvSrvNsxPyYDbZTv2+YdSmrX9GRMjU6LjHH8ZTEU0j5rJIMGknhv1sDM0RJACxT2KrU+FfwzPPqRzW9vFS5XeQuRnU/bAFOhmZRQob21ms7OWGFiO1EHDqZvdO4sE4THFhY5nr+Eta
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM6PR14MB2186.namprd14.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230025)(4636009)(39850400004)(376002)(136003)(346002)(396003)(366004)(451199018)(186003)(9686003)(7696005)(966005)(478600001)(26005)(6506007)(71200400001)(83380400001)(8676002)(53546011)(110136005)(316002)(66556008)(66446008)(66476007)(66946007)(76116006)(64756008)(52536014)(8936002)(5660300002)(41300700001)(99936003)(122000001)(2906002)(38100700002)(55016003)(86362001)(33656002)(38070700005); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: xuZ+ddBGZRk4CsmS32cLI2j8YZMAntKqbea6Raup4/FsLY8JyzOjOP0O+bp1bMVQUQCkqGctbEu0Es09DCMOiS8M/KBbTGJz5ZWqMCIJk9FQUC7Q5zQsz9l31CHq7+39qDiV0UShlkpNhhivXoBRgugr3aHBu/o1yXPr70Q4jv5FrB/IiSFKR135/SLgbeyyeFEsg48W0tdLgxEqmaTWPLy4GGZOcf02RSsDY2CpKMAYBteghOsM4dlUT7RXqFYNnetbSut2tRDKw+EokuToO41C8qXegFLkZwIZaX9vmNcSBRZRmvZ+eWJtVILsNsTxLLp/ipDYBceB/mMjsxpaKufx8aRkc9okXRPQ0KcUcYZYhh69TXlYBWjRlB2HEcbgjGsMyKoLNtnFh1cKW+6JXfEG08MJ9GceoJEjzPmEI/pd2lrlmbiljq64WGVqoHUd/6Yvb+oN201Qf3THhbwGJxL+Pk/XUWgdbNACeIWIa5e5L0qyjrVA5wH/uwm5vumsD7bcyU38j5ayjUZsdDnH0NRiqjhH6Fqwmv5cujlf7NBHuorHI9wchZM37hd6oPLl2njJx/J5mhm179ofs5kNYJqL1DT3OuaPvkJniJB06SfL3ZqkRta6nNtMUtIEzg7hdrDcbxo5pteHE89PiDrNBvE5BK8zOr8YINUmssa0XqY68IMier3Mti7Lyh2P+Sx6kUgWyOsOHx9ZCvAYfYH26/nOr3zPfCthi6X9yyTVhhAGwLc6Mb2bsYpm2p/VspajzgM7eJn3ZIa6lctSQ6eKHxD6oFdwbqSxjPqBekADLUbXprXrgRImyUEOvxzTBLs44BVCOAeOI05Od+7totIvkgowccIQffgDsCr7sf9RSssdPQ8CZV3D+RNXq1PEROzGrFv+5Z3oydH6N+sS5qkmQRUgDNvS+a/qnKsICtxK9VnNfWFrkVK6zSGI9oG/rRXFiz6T6MVaNlTPqvW8rg9unc+xTEfPG2MumQfUw058Z4TOAkKp1910xqy0+p8jxY5VJeMF4fzeqPvd6b98fQGCM+PT40n8URDTlz8cCz9PHhGA92cM54wzEJl3vfITYkqOLEw65MHRFQFuTskX72VlY2VjJC1SaK4dyUVi2yI8WL27sFtENPsSht7jL2i8Fr+OgmJa4JNFYK5aFRXCWC1nP9dInR9/gw6KUqEI8rkRJEnojkKjCrk9oodH/MukiPJoSzXJ+ZmGhdEuuVEm3r03FzPa/iQ81+Ss4ZUuxrxEe9VIQ8K6mnRISqv8iPwr8Zw75QW7x074awxJmL3Dj7tTpBs99L5EpxE7QQCDWxOam/A1oTUEE410ROzdYVihCvQaO4Cq5SUA20FjJ5v+j7zv69htJFv6zvJV8D0/PGL4XBo5iBABygYsJXkA6cX7uYI7r9ndeZS+7Cp/qrYUTxaR52c8u1IAs1qjBWD8VHb9C7JqQ0j0Z+0oJOTbOctXM9KUNv/9gipxoyqgqZm3LykuURqwik1YOLTakSjzJ74Gu7utExkiDEaA2lYNVjV2W9HYj1HLhoSCMhbWyiESZFcl3EsBKUgbcbjA5dGpYI6H/YG9qIMjfgcdpl3IY/iOG7fE
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="2.16.840.1.101.3.4.2.1"; boundary="----=_NextPart_000_003C_01D95CC6.01F00F10"
MIME-Version: 1.0
X-OriginatorOrg: digicert.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DM6PR14MB2186.namprd14.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 264df0ea-42fc-4ea3-0501-08db2afeb199
X-MS-Exchange-CrossTenant-originalarrivaltime: 22 Mar 2023 17:55:59.2556 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: cf813fa1-bde5-4e75-9479-f6aaa8b1f284
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 0n38+4uHUpcC3kwa4NqtvSnLeB4mtGch1vmmG+SHdrPoVyJs6p/dgfT0p6jZ3gsgXPpgUKnCHpUi/mKXpG0M6RgIGSZTmcKr3B9oxbjoBdY=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL0PR14MB3682
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/b6jZSPG3_uzTmevXlGxUE3k05wI>
Subject: Re: [Acme] ARI: Indication if certificate will be revoked
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Mar 2023 17:56:06 -0000
Hi Andrew, Is the purpose of the "revocationTime" field such that ACME client behavior would be different than the recommended replacement time-selection algorithm in section 4.1, or is it to provide richer metadata about the pending replacement window that is potentially human or machine-readable? If the former, I'd be interested to hear how you think the time-selection algorithm should be modified to incorporate the information conveyed in that field. My first thought is that ACME client behavior will be the same regardless of the field value, but I very well may be missing something. If the latter, I'm wondering if we could consider defining a RFC 7807-style "problem document" format that would provide fuller information that is both human- and machine-readable. The "explanationURL" field as it currently exists in the draft might be useful for conveying human-readable information, but defining a fuller representation of replacement-related metadata would also allow machine-readable information to be conveyed. Thanks, Corey -----Original Message----- From: Acme <acme-bounces@ietf.org> On Behalf Of Andrew Ayer Sent: Wednesday, March 22, 2023 10:36 AM To: acme@ietf.org Subject: [Acme] ARI: Indication if certificate will be revoked I'm working on adding an ARI client to a certificate monitoring service to notify users when one of their certificates is scheduled to be revoked. Unfortunately, ARI doesn't currently convey whether the suggestedWindow is mandatory (because the certificate is going to be revoked) or merely advisory. I had previously thought that an end time that was earlier than the certificate's expiration would indicate an upcoming revocation, but it appears that Let's Encrypt's ARI endpoint routinely specifies an end time that is ~30 days earlier than the certificate's expiration. I propose that the renewalInfo object contain a nullable field called revocationTime which specifies the time the certificate is going to be revoked, if applicable. Regards, Andrew _______________________________________________ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme
- [Acme] ARI: Indication if certificate will be rev… Andrew Ayer
- Re: [Acme] ARI: Indication if certificate will be… Seo Suchan
- Re: [Acme] ARI: Indication if certificate will be… Amir Omidi
- Re: [Acme] ARI: Indication if certificate will be… Corey Bonnell
- Re: [Acme] ARI: Indication if certificate will be… Andrew Ayer
- Re: [Acme] ARI: Indication if certificate will be… Andrew Ayer
- Re: [Acme] ARI: Indication if certificate will be… Andrew Ayer
- Re: [Acme] ARI: Indication if certificate will be… Aaron Gable
- Re: [Acme] ARI: Indication if certificate will be… Andrew Ayer
- Re: [Acme] ARI: Indication if certificate will be… J.C. Jones
- Re: [Acme] ARI: Indication if certificate will be… Corey Bonnell