IETF Logo Mail Archive

Re: [Acme] Concerning alternative formats …

Felipe Gasper <felipe@felipegasper.com> Tue, 06 March 2018 00:56 UTC

Return-Path: <felipe@felipegasper.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EBEA212D87C for <acme@ietfa.amsl.com>; Mon, 5 Mar 2018 16:56:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=felipegasper.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NplZDZ8AOFHm for <acme@ietfa.amsl.com>; Mon, 5 Mar 2018 16:56:58 -0800 (PST)
Received: from web1.siteocity.com (web1.siteocity.com [67.227.147.204]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 54E3212D7F4 for <acme@ietf.org>; Mon, 5 Mar 2018 16:56:58 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=felipegasper.com; s=default; h=To:References:Message-Id: Content-Transfer-Encoding:Cc:Date:In-Reply-To:From:Subject:Mime-Version: Content-Type:Sender:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=0/2RGgcD82ka5oGjOnlP8NHr7QoD2wo5ZYwBUtOOrto=; b=lI3uCLhpDyqIGqhPDTYcBmcuN WlPoX9sge2saR9/fRe1DRG44eHQHaE/WMQPIN2b0NsaGlI+2lsPOZZcmofXWoh9fDIcVaE8y06wwk b0aZ1lhtfKMyYmXslofGzeWfI/HZpo/h82C8A1H2AvozsNkPkqqtsorVLM+BVhsfoeUybeONCFWT2 VfJTbVpAIicmJSAejb5hd4kkNjPyCjAcFHgMcrfl+coxif0RExMINJ+/o2n5UuXh1PTrn1LahqWg1 gCqjr7f/YWs0YvUQNsIZVJYRyiRuiFUgqPw43hvy4+SLlUt8P7KdpJE0ZoU1QMrzuPoMbr7YLPEIu bevXV/s/g==;
Received: from cpe64777d56aa33-cm64777d56aa30.cpe.net.cable.rogers.com ([99.248.33.160]:65256 helo=[192.168.0.10]) by web1.siteocity.com with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from <felipe@felipegasper.com>) id 1et0uV-0000sb-5H; Mon, 05 Mar 2018 18:56:56 -0600
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 11.2 \(3445.5.20\))
From: Felipe Gasper <felipe@felipegasper.com>
In-Reply-To: <EDDD7A9E-D229-4EAF-BACB-7E2C7806DF56@ipifony.com>
Date: Mon, 05 Mar 2018 19:56:53 -0500
Cc: Martin Thomson <martin.thomson@gmail.com>, Richard Barnes <rlb@ipv.sx>, Logan Widick <logan.widick@gmail.com>, ACME WG <acme@ietf.org>, Jörn Heissler <acme-specs@joern.heissler.de>, Fraser Tweedale <frase@frase.id.au>
Content-Transfer-Encoding: quoted-printable
Message-Id: <1E2061F8-4431-48B4-944B-06B2B897D898@felipegasper.com>
References: <CAMmAzEKJhMaUBtCWSNZyGv-f+-edZ-WTq3=WFD_b1bXfvua89A@mail.gmail.com> <20180106001126.GB3076@carrot.tutnicht.de> <CAMmAzELgjpAmVCX6YB0VMvNQV3NH3NDdM_pdcz6d+h=ZO2rJww@mail.gmail.com> <CAMmAzEKMffffrxAihotVWPpqy=LaRkpSJuW9CpSVoQfLQ-nBwQ@mail.gmail.com> <CAL02cgRLXkkQECF5ssGh39uFL0xJp-3EODxGSQVzfPuEnE7FgA@mail.gmail.com> <63F4F466-8398-41E6-BD25-5414ADA9D1B3@felipegasper.com> <CAMmAzEKksnuBi0LPHsAsd2qs1brbMqrJBdtsbArTr6HhGrkN+A@mail.gmail.com> <CAL02cgRrH9fG-E9_oc4naSNvE4igaUcs9wXDfTtCTUCx+c4wbg@mail.gmail.com> <20180304125854.GH2161@carrot.tutnicht.de> <CAMmAzEJ0A2iOd2ASSHGJRfuB6Ss-BaOCXWsxUKUZx9UUzbT1ng@mail.gmail.com> <20180304143300.GI2161@carrot.tutnicht.de> <CAMmAzELuDLp4KxPtLgHp8AoyKGLOOjx4HPSrhDJ=yJ9RytU_vw@mail.gmail.com> <CAL02cgSAQaE0Qd=q3aSEDZdGe0TwyHs60xn-042OhKxu5LHxYA@mail.gmail.com> <CABkgnnWKhQ99qHtN8PkyG=6zNbJeGPYstL7Hgek36nR+747oHg@mail.gmail.com> <CAL02cgQFvVNEyBEAPsPdAtWK+VL0aPxdDqhZc_yrVLza4keZmg@mail.gmail.com> <CABkgnnUeiZvckTBRZNAv1Psg+ge-xK+y6vhSA4h2Ve_9_Nt8cg@mail.gmail.com> <CAL02cgSbgr69Qbd23MfF=gOrDn6wUXwDfx0Qv=H6RczoC2uasA@mail.gmail.com> <CABkgnnVu9MjfMtJ7tmoTBLT+3qoX2YPZqau92YUW=XqoL-Uf7Q@mail.gmail.com> <50502D5E-89F4-4CEC-A947-AF37032A0381@felipegasper.com> <5B3A59BB-3832-4F38-A281-81FBE5AA1887@ipifony.com> <CF42EC34-F05A-4615-A8DB-0A2524F04CBF@felipegasper.com> <EDDD7A9E-D229-4EAF-BACB-7E2C7806DF56@ipifony.com>
To: "Matthew D. Hardeman" <mhardeman@ipifony.com>
X-Mailer: Apple Mail (2.3445.5.20)
X-OutGoing-Spam-Status: No, score=-1.0
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - web1.siteocity.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - felipegasper.com
X-Get-Message-Sender-Via: web1.siteocity.com: authenticated_id: fgasper/from_h
X-Authenticated-Sender: web1.siteocity.com: felipe@felipegasper.com
X-Source:
X-Source-Args:
X-Source-Dir:
X-From-Rewrite: unmodified, already matched
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/k2ZAxhCtL0KKkmrWJWwihgtFSjk>
Subject: Re: [Acme] Concerning alternative formats …
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Mar 2018 00:57:00 -0000

> On Mar 5, 2018, at 5:58 PM, Matthew D. Hardeman <mhardeman@ipifony.com> wrote:
> 
>> On Mar 5, 2018, at 3:50 PM, Felipe Gasper <felipe@felipegasper.com> wrote:
>> 
>> Quick point: the alleviation of polling would go for authz status as well as to certificate delivery.
>> 
>> A certificate order that has 10 domains needs to poll for the status of all 10 of those domains’ authorizations as well as the certificate issuance. “ACME/bidi” would remove all 11 of those needs to poll.
>> 
> 
> While it eliminates the need for those 11 targets to poll for, it adds the not insignificant infrastructure cost of nailing up a stateful connection.  It’s worth mention that the past decade has seen massive improvements in the network stack from the low layer up through application layer apis as it would pertain to handling a great many of these connections, but there is still some cost to nailing up large numbers of concurrent connections.

I would think the grand majority of such connections would go away once certificate renewals were done. There’d be no reason to hold onto the connection afterward, as it ties up resources for the client as well as the server.

> As others note, h2 offers numerous models under which you could achieve the same benefits of getting asynchronous return of results over a single TCP session.

I’ve not seen much discussion of h2 server push in this context; its use seems (by design) limited to the case of pre-sending resources that the client will either accept or reject via RST_STREAM.

There is SSE (Server-Sent Events), but my understanding is that that protocol is effectively abandoned, supported browser implementations notwithstanding. (Edge/IE in particular doesn’t support it.)

Is there another mechanism that you and Thomson have in mind, or what am I missing?

Thank you,
-Felipe Gasper
Mississauga, Ontario

v2.23.0 | Report a Bug | By Email