IETF Logo Mail Archive

Re: [Acme] Renewal Information extension: Proposal to add an Explanation URL

Jesper Kristensen <jespermlst@gmail.com> Mon, 14 February 2022 18:29 UTC

Return-Path: <jespermlst@gmail.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 446D03A094B for <acme@ietfa.amsl.com>; Mon, 14 Feb 2022 10:29:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Zko_jLm_e1Tc for <acme@ietfa.amsl.com>; Mon, 14 Feb 2022 10:29:16 -0800 (PST)
Received: from mail-vs1-xe2b.google.com (mail-vs1-xe2b.google.com [IPv6:2607:f8b0:4864:20::e2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D20183A0921 for <acme@ietf.org>; Mon, 14 Feb 2022 10:29:14 -0800 (PST)
Received: by mail-vs1-xe2b.google.com with SMTP id u10so6950391vsu.13 for <acme@ietf.org>; Mon, 14 Feb 2022 10:29:14 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=p3UUgM+p+Zj/26kni58p3dLNRj/vG2ylkxyMxlrmPRE=; b=mJzkqChtBkaXaA8aF0u+jMaST7Jnc5qja5H6vQoFSSy32O+hqRzQTrapeQBZLqL8Lq 2tjmCI6gUGFoPkUDFHYuDVCSKbNuRRwvBEWbuR5rvVv7PtX/hTpcypWLR0jY/dq7K0l2 KYTAJpEVgGqAv9/amaem1zb3zSa9V+Q0A5LKssPZV4mgYe37dJR3+edU1MHf//UeeuqZ g7YeFdiT2uVULXxR9hj6ZBsWyrinU89hRTeX1DAHXQ4JjjkD28chU2RMCiMn6TIbKZbN Rx90Jm38hriyRY17SLjbuEIfbwnWwcErOItnhqVHJgCNCEb8VhsVDxm/rjI6dQCuC/xq Ab2g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=p3UUgM+p+Zj/26kni58p3dLNRj/vG2ylkxyMxlrmPRE=; b=UVtYAsHI9nbRPZHTXe/aD1QVpS5zW5Y8X6htfDYsKlv/rzrkByz/w0z1ic89vSObv0 sPQVGK200vxlJ3Qne9Pkati1IyrG3Lpra0NiI2oobYPUKg9Qy+XPJXWQdKQD20uXKwTJ tzZZDYur3uRHDZy+M3Cgm6FQdubOiy2yUSbj/otEEJD1oUvvtTATld02vMTiKt4fY4Km L36aUkkHSksoRQKE97I8UtnqtpORZ+r9RN1Sr4RKQal1UTZKr2Vba4nK/WsKe1/8vkIo eJR0DOOx7C0ZenXgntdLIsr8LH2OlhMO0+ZpJR051AdsYJvG9aW0WOE4ROz0rjgy0OX/ UL/A==
X-Gm-Message-State: AOAM5310F3jnFC5Zd+CqISseVtkWjnKYAWKstR8DM1zTmQ+VO/QgzmZR y4UKav/M3tXrEb4WdOnjqQHKsWUOHVMYdVW///893AE=
X-Google-Smtp-Source: ABdhPJzRj/XPndpDd/P/aV3OoStwHc5oJNjgVwF2eoGHSOVblzoO/0+XsXFfs2QimiIy8xUj0Cp21ZzUr4IydATt0DI=
X-Received: by 2002:a67:edc8:: with SMTP id e8mr130139vsp.26.1644863352085; Mon, 14 Feb 2022 10:29:12 -0800 (PST)
MIME-Version: 1.0
References: <CALrMbp_M74q=WE02vuF6Ey+YMe_E1VOmN9yHS4AdxwUPpX=y1w@mail.gmail.com>
In-Reply-To: <CALrMbp_M74q=WE02vuF6Ey+YMe_E1VOmN9yHS4AdxwUPpX=y1w@mail.gmail.com>
From: Jesper Kristensen <jespermlst@gmail.com>
Date: Mon, 14 Feb 2022 19:29:00 +0100
Message-ID: <CACAF_Wj-wdSi-o0Rs9rU2ugCPDu666wzWxCrAD6Sb2Wy52BD4g@mail.gmail.com>
To: "J.C. Jones" <ietf@insufficient.coffee>, "acme\\@ietf.org" <acme@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000ce211805d7fe97f2"
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/tUrgiw_nRYbKXqRtMJYn6h_mjlw>
Subject: Re: [Acme] Renewal Information extension: Proposal to add an Explanation URL
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Feb 2022 18:29:21 -0000

How can we make this testable, and ensure ACME clients won't break because
of bugs that only show in the edge cases when this explanation URL is
given? The current ARI proposal looks identical to the ACME client no
matter if it is a regular scheduled renewal, or an exceptional renewal,
which makes it harder to introduce bugs in the ACME clients for the
exceptional case.

Den tor. 10. feb. 2022 kl. 05.38 skrev J.C. Jones <ietf@insufficient.coffee
>:

> While ARI is clearly intended for automated usage, its ease of
> construction permits interested third parties with knowledge of a
> certificate to request the ARI information as well as the
> certificate's subscriber. This is a feature, not a bug, as it permits
> another useful use case:
>
> Imagine a certificate lifecycle tool that monitors many TLS endpoints
> for certificate lifetime and status. Such a tool could naturally also
> query the ARI endpoint for each compatible certificate, as a means of
> determining certificate lifetime in the face of pending revocation.
>
> When the tool notices via ARI that a certificate should be renewed
> early, that's probably going to generate alerts -- and it would be
> valuable to those receiving an alert for a certificate that suddenly
> needs renewal to have some context as to why, if it's possible.
>
> Hence, I propose we add an optional field to the ARI response
> structure, "explanationURL", which when populated should be presented
> in any user-visible context (logging, alerting, etc) by the
> ARI-compatible client. It would be up to the Certificate Authority to
> ensure the URL presented appropriately translated information for the
> operator, and the CA _should_ only provide the field if there was
> something exceptional that warranted additional explanation or
> context.
>
> J.C.
>
> _______________________________________________
> Acme mailing list
> Acme@ietf.org
> https://www.ietf.org/mailman/listinfo/acme
>

v2.23.0 | Report a Bug | By Email