[Acme] Re: Comment on draft-ietf-acme-profiles about change management
Mike Ounsworth <ounsworth+ietf@gmail.com> Wed, 21 January 2026 16:02 UTC
Return-Path: <ounsworth@gmail.com>
X-Original-To: acme@mail2.ietf.org
Delivered-To: acme@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 6EF6AAAFB580 for <acme@mail2.ietf.org>; Wed, 21 Jan 2026 08:02:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: 1.801
X-Spam-Level: *
X-Spam-Status: No, score=1.801 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FORGED_GMAIL_RCVD=1, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AfoKiyES9zgi for <acme@mail2.ietf.org>; Wed, 21 Jan 2026 08:02:24 -0800 (PST)
Received: from mail-oo1-xc33.google.com (mail-oo1-xc33.google.com [IPv6:2607:f8b0:4864:20::c33]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 0461CAAFB576 for <acme@ietf.org>; Wed, 21 Jan 2026 08:02:24 -0800 (PST)
Received: by mail-oo1-xc33.google.com with SMTP id 006d021491bc7-65f65538a90so717175eaf.1 for <acme@ietf.org>; Wed, 21 Jan 2026 08:02:23 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1769011337; cv=none; d=google.com; s=arc-20240605; b=BQkRCiychQvZZfvotTDPPDvK5F8h1j7nG31g9Sju0Fh6BMf460Yp02MJiIuELH/OWR U2y6tqHBq1Ztnl4eyvhHkvM9hANxqyEgFG5QRVIGCFSMeh5ThKMUaPBbYIAiJFMNzd5V HNKGqRgsCp1JnV/lgsTUHDt1ob/C9yD+drNz4AcOkMHKkwUrKiVWtXHpHSRBM0oBthZS AN/DeXTLaYp9FZdaMEbA3DQPQIYdaAC8S+vhDVR093MJPup9WcZXbA1MHepDgI9ytEvy g62AkZmpXkXr8OjWx/06pRBDCIzcY9Un/P3Q3Vqyu9AzkHi7J3rVD5+mV5V1rK2Wc5qQ ng2w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:dkim-signature; bh=u2CAvhEurTo8FDyNl0GpiAcU6RU4b0kP3U2ivzfmf4w=; fh=aGMaY330p82usxTGBLFjRWfc3oIrfp3YmZU/dYERwI0=; b=i45VenDTCY4bbphdo+gqcyXSNuslLYeupWpOwu983aYE3bp0FVvRAPQbqa/EiTWfyW zkL/WYx4MTkKSreYn3F+XBowB+6sjFwLG1r6Ay6os7E8KUjlBlOx1NJyXNveQG0j/ntj 7rkC0tpX6CFw7JDNlt57rNU6tCAomPz0VsivTebdpCDGMUG402dnFn3u9lsQHes34OKc Z/VqAc74SXE1iFXsv4Rp4PLIXmMgdC3Zbjb0RJ6CjphuQmtms/zgf20M5nEP4XbVV4Eg vPoanC44oa6dLq5uurL3ZW/0ILWczMH0ogsieiQ9m74TRpeSRbZ11Kff/qVAU40LntzQ 88uA==; darn=ietf.org
ARC-Authentication-Results: i=1; mx.google.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1769011337; x=1769616137; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=u2CAvhEurTo8FDyNl0GpiAcU6RU4b0kP3U2ivzfmf4w=; b=Zy20Xo1Po+aip9SsCRVA2170oxkB8rpGKiGkiSdEo/XaRvubbn/FmRhkv/h8eW/a/s Xp6cI+S0AztuOxdJv7rDSjxfTrbSc4ZnkavWIVNo6mN6nk2LS6xiva641goL66vpnyVo JuGhT0eAJKB4h81UutwKnLGn00AGVm3gHZtE1l/FVlbdsoC7QsMCIubvZ/RdTVwnn03m qf3lg9/OSU4HiBD328fi+1bzSxe8LgWLAZT79yOXJPGNtO/b+KXT2ENrqBwGtagTOtn7 Sb7b3gvoA0Kvo/a712Bia5i5I26wKY2XiCT21aKwociahb4ZV5ws4zCN3tXcdkCCrQfP wGww==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1769011337; x=1769616137; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=u2CAvhEurTo8FDyNl0GpiAcU6RU4b0kP3U2ivzfmf4w=; b=d1ijdPtxn8qGg0iRPYVmBzVlV57AsypkclPX3TkYUIZQ5I5A2jxUJD5DaiGVFzNqy/ mgH0P8CyUXF4sKlLnTAXZouYsdwOsmuLjbRcLn2DRuOD/bc7keVDemx8/hh+Tq2HEYAE hxvwl8CwJJ0K1gypzOKpoKBqNHtAn5yWskv4qopGt82GpEVbdGtG7VPYH/IlPgZYWpBa 4iFW/H7zDh3cQfTWEwLIHkdRaRLlT6Bb2eNCPlSXmm9EWPSJqqgZy/CGsf9MyGNqEI8r 6bzSA2CBd3JuKaPd9LHPn9Am4ByxYEzorWE0FHlOwY2kUZyB2uqq5tS7/0kn+kVt8CYq 9+1g==
X-Forwarded-Encrypted: i=1; AJvYcCUfHgwzJWcft5s0Q1ft4yrASWMLGKhC2YNWi+yRpJJG0jZ/KFhj6xUkF2VZ2wH4ogBiEckf@ietf.org
X-Gm-Message-State: AOJu0YxX7EmbiDvcKiq6KpytpnLZn1R1lg0OLU5oc37eruSnFbeUjJT+ YepyGkUsSBAEnyrrhb7YAC53fPotzmZt3s3fFs1mUV5Ie2NGNWoDhyLBoDL4c+Ja+H6UjmK2RjW uB6ieyhZo11uKrMEUFsMLYgDrflia8MU=
X-Gm-Gg: AZuq6aIL01ZuIDmvKq1GXHA+55sFYuB4hkqWmR6ArzSx5MW1xatLxLZhiYaAFa7ZKTX mMiftzL3OtRq7dB7j0YBwuCKyaDkFQ/NGrboepgV22LcTUn+H7Kp0k6CjJj2AbhGDjh14KNsX2F aMr3UAu32lP/lxd1Ir2sKHsF0ci+9D5JYSnbkcHIZS02AI/l9ck2P+UMMXdNW4TAMIgaz9cAkRo vcdw6tIjw1HFs55fFeu49bdJxu7JbuhihikFOLGQKRlOPyCxJ1jHdn3y6e4bC34fR9rmI7gdQ==
X-Received: by 2002:a4a:d9d3:0:b0:65f:547d:7e76 with SMTP id 006d021491bc7-6610e59a1c6mr7040036eaf.4.1769011332206; Wed, 21 Jan 2026 08:02:12 -0800 (PST)
MIME-Version: 1.0
References: <CAKZgXHqkK--vPiC35O5dA7W9x_dBzss4Me0ymLoyURUE8Uq6zA@mail.gmail.com> <CAEmnErcw-2JunoUZs6jXj1GienP9EHa9F7yuHM8rb5xxXy3+Nw@mail.gmail.com> <CAKZgXHpjsjoa19pxTqQwWj1Amqd+h0T4j3+OXaQgto96_ZhWWg@mail.gmail.com> <CAEmnEre+uT5kucs1LM-ffQw=AdyQ+9zqubi1w601UB337rHypQ@mail.gmail.com>
In-Reply-To: <CAEmnEre+uT5kucs1LM-ffQw=AdyQ+9zqubi1w601UB337rHypQ@mail.gmail.com>
From: Mike Ounsworth <ounsworth+ietf@gmail.com>
Date: Wed, 21 Jan 2026 10:02:00 -0600
X-Gm-Features: AZwV_QiN7oKw-0leQehS-b6anAQPiKU9PS0ioOar0K5UA6A5OBsKRkVb5JUNQZA
Message-ID: <CAKZgXHqJ67F14T8SUKKNfQRJOcQ8qXvDvxP6iTOtE1GZ6Wg5gg@mail.gmail.com>
To: Aaron Gable <aaron@letsencrypt.org>
Content-Type: multipart/alternative; boundary="0000000000000f55300648e80c83"
Message-ID-Hash: RJMFURZE4IHBGWQNUKNV4GYQO57KBWWF
X-Message-ID-Hash: RJMFURZE4IHBGWQNUKNV4GYQO57KBWWF
X-MailFrom: ounsworth@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-acme.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: draft-ietf-acme-profiles@ietf.org, IETF ACME <acme@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [Acme] Re: Comment on draft-ietf-acme-profiles about change management
List-Id: Automated Certificate Management Environment <acme.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/isCjtcK9TWr7koNUoFDXJmcONeg>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Owner: <mailto:acme-owner@ietf.org>
List-Post: <mailto:acme@ietf.org>
List-Subscribe: <mailto:acme-join@ietf.org>
List-Unsubscribe: <mailto:acme-leave@ietf.org>
> We did this [adding an extra layer to the Let's Encrypt CA chain] without making any changes to our advertised profiles or their documentation, and without any targeted outreach to subscribers. So far we have not observed or heard reports of any breakage. That's actually a great datapoint! Could it be that decades of overly-complex X.509 standards means that most client and server applications actually handle edge-cases reasonably well (like cert chains with lengths other than 3)? I'm shocked. Ok, maybe profiles aren't as brittle as I'm afraid, and therefore there's no good reason to version them. Thanks for entertaining my idea! On Mon, 12 Jan 2026 at 11:29, Aaron Gable <aaron@letsencrypt.org> wrote: > Ah, I understand. Yeah, that's something that CAs have historically > changed without any particular need to notify subscribers or update > profiles, and I hope that this remains true in the future. For example, > Let's Encrypt just shifted > <https://community.letsencrypt.org/t/upcoming-changes-to-let-s-encrypt-certificates/243873/3?u=aarongable> > our "tlsserver" and "shortlived" profiles to issue from a new set of > intermediates > <https://letsencrypt.org/certificates/#:~:text=YE1%20%E2%86%90%20Root%20YE-,Let%E2%80%99s%20Encrypt%20YE2,-Subject%3A%20O>, > whose chains up to trusted roots are one certificate longer than they used > to be. We did this without making any changes to our advertised profiles or > their documentation, and without any targeted outreach to subscribers. So > far we have not observed or heard reports of any breakage. > > I definitely don't want the existence of profiles to mean that such > changes in the future would be expected to be more complex. > > Aaron > > On Sun, Jan 11, 2026 at 4:29 PM Mike Ounsworth <ounsworth+ietf@gmail.com> > wrote: > >> Hmm. ok. >> >> PS I didn't "length of the validation chain" as in "whether or not the CA >> servers the intermediate", I meant, like, the CA actually physically adds >> or removes a layer of CA. I think I'm thinking that the PQ era will involve >> changes larger than the changes we've seen over the past decade, but I'm >> also ok to leave it. >> >> On Fri, 9 Jan 2026 at 17:03, Aaron Gable <aaron@letsencrypt.org> wrote: >> >>> Hi Mike, >>> >>> Responding to pull-quotes inline below: >>> >>> On Thu, Jan 8, 2026 at 4:36 PM Mike Ounsworth <ounsworth+ietf@gmail.com> >>> wrote: >>> >>>> I think there's an assumption here that the CA is free to evolve their >>>> offered profiles over time; >>>> >>> >>> Yes, they are, and they always have been: every ACME CA for the last >>> decade has been evolving their single default profile over time to keep up >>> with changing requirements and best practices. >>> >>> >>>> But then, how much change is too much change that the CA really ought >>>> to declare a new profile and deprecate the old one? >>>> >>> >>> That's a very, very high bar. Note that the draft says that requests for >>> an unrecognized profile MUST be rejected by the CA. This means that fully >>> deprecating a profile breaks all clients which are explicitly requesting >>> that profile, until their operators notice and update their profile >>> configuration. >>> >>> This is on purpose. We believe that if a client is requesting a specific >>> profile, it is probably doing so for good reason (especially given that all >>> ACME clients have gotten along just fine with only a single default profile >>> for the last decade). It would be surprising for a client to request >>> profile `foo` and instead get an order with profile `bar` because the CA >>> has deprecated `foo`. >>> >>> But this also means that CAs should generally not design profiles with >>> the intent to deprecate them. In turn, "versioning" profiles will cause >>> site operators to have to update their requested profile configuration >>> frequently, and/or require the CA to support many ancient version numbers >>> lest they risk breaking anyone requesting that specific version. >>> >>> I think that any mention of versioning (whether normative or merely a >>> suggestion) within this draft will lead both CAs and clients to believe >>> that profiles are meant to be immutable, and that way lies sadness. If >>> there is to be any discussion of versioning within this document, I would >>> want it to be an exhortation against versioning, as it breaks the >>> longstanding contract of "trust the CA to make the best decision possible >>> given the current regulatory environment". >>> >>> Thanks, >>> Aaron >>> >>> P.S.: >>> >>> >>>> if you changed the length of the CA cert path, >>>> >>> >>> Note that, in ACME, the length of the validation chain shouldn't be >>> influenced by the profile; that's instead controlled post hoc via link >>> rel=alternate headers on the certificate download. >>> >>
- [Acme] Comment on draft-ietf-acme-profiles about … Mike Ounsworth
- [Acme] Re: Comment on draft-ietf-acme-profiles ab… Aaron Gable
- [Acme] Re: Comment on draft-ietf-acme-profiles ab… Mike Ounsworth
- [Acme] Re: Comment on draft-ietf-acme-profiles ab… Aaron Gable
- [Acme] Re: Comment on draft-ietf-acme-profiles ab… Mike Ounsworth
- [Acme] Re: Comment on draft-ietf-acme-profiles ab… Bob Beck