Re: [Acme] case in point of usability
Stephen Farrell <stephen.farrell@cs.tcd.ie> Wed, 01 April 2015 12:19 UTC
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2661B1A87C8 for <acme@ietfa.amsl.com>; Wed, 1 Apr 2015 05:19:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.21
X-Spam-Level:
X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iIbIt588VNCH for <acme@ietfa.amsl.com>; Wed, 1 Apr 2015 05:19:19 -0700 (PDT)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7D8731A02BE for <acme@ietf.org>; Wed, 1 Apr 2015 05:19:19 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 9CC35BEB2 for <acme@ietf.org>; Wed, 1 Apr 2015 13:19:17 +0100 (IST)
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gJe31UNmZaFp for <acme@ietf.org>; Wed, 1 Apr 2015 13:19:17 +0100 (IST)
Received: from [134.226.36.180] (stephen-think.dsg.cs.tcd.ie [134.226.36.180]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 7DAFABEB0 for <acme@ietf.org>; Wed, 1 Apr 2015 13:19:17 +0100 (IST)
Message-ID: <551BE246.1040603@cs.tcd.ie>
Date: Wed, 01 Apr 2015 13:19:18 +0100
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0
MIME-Version: 1.0
To: "acme@ietf.org" <acme@ietf.org>
References: <551AB92F.6080004@cs.tcd.ie>
In-Reply-To: <551AB92F.6080004@cs.tcd.ie>
OpenPGP: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/lWl9rHvnpUVBcQHY4GaqtMVUEkU>
Subject: Re: [Acme] case in point of usability
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Apr 2015 12:19:22 -0000
And in a happy ending for this thread, when I whacked in the new cert today it all worked. Interestingly, there was a point where it was fine in all but one browser - that lasted an hour or so before they were all ok, not quite sure why, but there's clearly more going on with ocsp caching than I know about;-) S. On 31/03/15 16:11, Stephen Farrell wrote: > > So today I was updating a web server cert as I do a few > times a year. And I have a usability story to tell... > > I got the new cert and installed it in apache without any > Cullen-like problems:-) That cost me €0.00 in payment and > about 5-10 minutes. All good so far. > > Chrome was happy, but FF/opera/my phone weren't. > > I then messed about for 30 minutes checking to see if > a new intermediate cert was needed etc. (i.e. I was back > to Cullen-mode:-) > > Turns out after a bit of searching, I'd installed the new > cert too soon, and when I tested it, a "dunno" OCSP > response was sent before the responder had seen the new > cert and that OCSP response has now been cached for some > unknowable (to me) number of hours in who-knows-what > places. And that caching behaviour has changed since the > last time I got a cert from the same provider a few months > ago. So I reverted my apache to the old cert and will > try install the new cert again tomorrow. > > That's exactly that kind of thing I'd love to see fixed > with acme and that is not handled by CMP, CMC, PKCS#10, > EST or SCEP. At least I don't believe there's a standard > way of getting the right thing to happen with those > without some proprietary extension/surroundings. > > And one big reason CMP etc don't support that is that we > didn't have that requirement when we had the big fight > that lead to CRMF back nearly 20 years ago. (Since OCSP > didn't exist then and we didn't know how folks would be > updating web servers, and we're much more intolerant of > Cullen-like messing about being needed these days, and > rightly so.) > > I would like acme defined so that when I get the cert > back all the PKI stuff has happened already and is > working. I'm sure some other semantics could also work > out, (e.g. if acme had a "ready-yet?" query I could > emit after getting the cert), but those are the kind > of problems we're currently facing that are killers and > that we can address, now that we know the deployment > requirements much better than we did in 1996. > > I hope this helps those who are worried that acme is > only about business models. In my head what acme ought > be about is getting rid of that 1 hour of silly sysadmin > time I just spent - the system-automated web server s/w > update should just have done all of this for me without > me even having to know a new cert was needed until I > get the system update email tomorrow. > > Cheers, > S. > > PS: Apologies, Cullen but it's your own fault:-) > > _______________________________________________ > Acme mailing list > Acme@ietf.org > https://www.ietf.org/mailman/listinfo/acme >
- [Acme] case in point of usability Stephen Farrell
- Re: [Acme] case in point of usability Carl Mehner
- Re: [Acme] case in point of usability Stephen Farrell
- Re: [Acme] case in point of usability Rob Stradling
- Re: [Acme] case in point of usability Stephen Farrell
- Re: [Acme] case in point of usability Ben Laurie
- Re: [Acme] case in point of usability Stephen Farrell
- Re: [Acme] case in point of usability Warren Kumari
- Re: [Acme] case in point of usability Phillip Hallam-Baker
- Re: [Acme] case in point of usability Nico Williams