[Acme] Re: ACME and PLANTS

Aaron Gable <aaron@letsencrypt.org> Thu, 12 March 2026 20:39 UTC

Return-Path: <aaron@letsencrypt.org>
X-Original-To: acme@mail2.ietf.org
Delivered-To: acme@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 9F4ECC90B807 for <acme@mail2.ietf.org>; Thu, 12 Mar 2026 13:39:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.09
X-Spam-Level:
X-Spam-Status: No, score=-2.09 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (1024-bit key) header.d=letsencrypt.org
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2bTRtKy_HDuw for <acme@mail2.ietf.org>; Thu, 12 Mar 2026 13:39:35 -0700 (PDT)
Received: from mail-oi1-x235.google.com (mail-oi1-x235.google.com [IPv6:2607:f8b0:4864:20::235]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id E2D7EC90B7B8 for <acme@ietf.org>; Thu, 12 Mar 2026 13:39:30 -0700 (PDT)
Received: by mail-oi1-x235.google.com with SMTP id 5614622812f47-466ebbf7ff7so562172b6e.1 for <acme@ietf.org>; Thu, 12 Mar 2026 13:39:30 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1773347964; cv=none; d=google.com; s=arc-20240605; b=CBndGC3UE8EO8ANugk2lHAkebBaEWbGWSXtrfeIb5nYpSrZcyNL4fJfOVQC0TEbMzm zo2SHcUvgU/4zkJKtRILf7iOVC11NFvkZOLyVWm90TiDq+OxUl06S0yJm5wsh62uTM1k Ik2iBp19gqNGQxGnWpW5LeAn9KkiA+pGBaSnEqaIMq1EqI5QK7ybNNSeSk32X6MiTXFw XCXCVwFBVhDoix6xABwgtYZcaOiuLrRUAbvtAXeYwDGmFugPIAmkwQYL+tsqjSDK6ABR r9AkgSYMFcgjpZYo6lHG8xMqxCUVCKJFEsDos5fxYqFzKRInFSOsZQ97mcbgbS2YvsMi 9aQQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:dkim-signature; bh=IuaUCQkUH2UBLg0kbKVDZnI2/w5J4saUYuWeqXRM48Q=; fh=m5iCvA27lWzqmhz+bijjmFwkq64KFDCFjukvQxLK/FU=; b=HGGfayYqIUjCtQUCnfSbGZGl1BGzvmRzh2jskKOiztT1TaitSLnlknyvR6ZvDn5h32 X8nRUyPtZk6tgDBGEUS4u/Qp7/3E9BOFVTUGwe5rzyWSilKD7Lt7znCqX4P6m6wDaVoj awPk7v0prxWYljpAzZyMZf2XKrMTiuKKGAI7gN73l0Gq45L9+cuILgz8+2qcGTmB24iw tyzZttgX+6VO9b/b61eGFZIbtefxDjyLuif+CIOuljAQH3QJ/pyW6yB+R9PIaIDfcIDM UBsRbsayWXjS//2H+NTqe5/6CUHi9C9aYLKxeOD+jXMN2BiW4s3wujrXvBwP7CfWqHS5 cx7g==; darn=ietf.org
ARC-Authentication-Results: i=1; mx.google.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=letsencrypt.org; s=google; t=1773347964; x=1773952764; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=IuaUCQkUH2UBLg0kbKVDZnI2/w5J4saUYuWeqXRM48Q=; b=Ua5fE4Z4thz3NQw3dyCLkAGptdPHoF3TFnCsmyV1zXlFGnlOJW9udafEhgGns5GGHU 9R0okP+wy8rMarKesyEzOt3qTJDxk7zVpbPYOlJ2vnJEdmf8H6y6xSQsJDw2tyJZU8/A lvK8cEaGnYvU+Y0pHJ060lmcIlXRuHpjUGzLE=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1773347964; x=1773952764; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=IuaUCQkUH2UBLg0kbKVDZnI2/w5J4saUYuWeqXRM48Q=; b=vNu/g2CPa7SB8P4qZDm1DF8hZRvYIF3H3W4PeHXW9BaFs+Pl/d/8otEskt+G+Hfv0o OVuf83uPsdsDionShpb/Yu2fUknUyf2RxaHVqU/2QfUy0sCrEWhGU8Gsfd31ogKZqLG5 ffLTHlCZ/romkQc6XF/YQzVq3XltA0kt7booJoiRIy8jQv+G1HL3iVygrQKXIhsoOSCl Xf3OfZirCTUoL6HYGYylN78dbsua//Fdynl00MPH46Qjy3MKwNU1O0uWnd5HeaeCc6iD ngmI2yizV5aardjdznhhswRBGGOwVofN3Hnrbrp5DjpFtzJWYc4oj6vx2zkAs57KoSt5 jeLQ==
X-Gm-Message-State: AOJu0YxiSMmZa2dDqc/T9/Y/27/PGDjgrLhiBCJQWcl5rXSiwhyr+N/o N3PIaWbHaR3Eoqdfr4jd9tbKnrcM2LMgFQmybCyKUD4f+oxZ4KeHD7RhQITVJdNLn5oK3BfdWWT 6PX5m6oOlOMtmP0HsxsDIl7HAXBlV1PKKu/Ak7VNbYnhW7RfBhcDx4uk=
X-Gm-Gg: ATEYQzwUh7MFSbh8eWApsFcb7rPIBlYzG9nCUe57JS/GBxApSX10/7ojFUIcwn4WtDz dJ5GUCsahbV5+HESGkMtOki13F+H7AoRg+hy0nfcXMFqKFwahHYgnroa7u9R0EzihY5mk7cILZf pBtMHI8mF+XfrqSbWt24FKoyx9XZquiQzWcPue0x7GinoHB3Odcg9ZpfeZwuCXQjyF9ohRRrlGo 5cC9uKTrOBnWtVy+fZMgz8IDKJuhmdqWjnZZp15soO75+rcEM62q573oOxd5MzAAXhTWntdYLKv VaWrUkM1aLaGdFpswaI=
X-Received: by 2002:a05:6808:181d:b0:467:17a0:38c8 with SMTP id 5614622812f47-4675755f2dcmr364802b6e.50.1773347963729; Thu, 12 Mar 2026 13:39:23 -0700 (PDT)
MIME-Version: 1.0
References: <CAF8qwaApZbT5C1q3-g5yTPxYJTuJeZqMgb=_Gu=hqYRnrtiJkA@mail.gmail.com>
In-Reply-To: <CAF8qwaApZbT5C1q3-g5yTPxYJTuJeZqMgb=_Gu=hqYRnrtiJkA@mail.gmail.com>
From: Aaron Gable <aaron@letsencrypt.org>
Date: Thu, 12 Mar 2026 13:39:12 -0700
X-Gm-Features: AaiRm50e0PLG-V-eGL-9GR0ohfn38GnfKBowZLMoqknOC9KatyysTmdUAfGtKHs
Message-ID: <CAEmnErd5umKYrx_tZ+QgCnWAsvw4TAWqpS=kYd4sen7P1cPJ4Q@mail.gmail.com>
To: David Benjamin <davidben@chromium.org>
Content-Type: multipart/alternative; boundary="000000000000710b4f064cd9bff3"
Message-ID-Hash: NCSF2VJYZG6RTQKRAAJJIRFLJ75FLGPE
X-Message-ID-Hash: NCSF2VJYZG6RTQKRAAJJIRFLJ75FLGPE
X-MailFrom: aaron@letsencrypt.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-acme.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: IETF ACME <acme@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [Acme] Re: ACME and PLANTS
List-Id: Automated Certificate Management Environment <acme.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/uMht9yT61fGqoxROyYJ9-ttvUbQ>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Owner: <mailto:acme-owner@ietf.org>
List-Post: <mailto:acme@ietf.org>
List-Subscribe: <mailto:acme-join@ietf.org>
List-Unsubscribe: <mailto:acme-leave@ietf.org>

What follow are all of the reasonable approaches that have occurred to me,
presented in order from least to most desirable in my personal opinion:

1) Add a new field to the Order object, so that a finalized MTC order can
have both a "certificate" URL and a "landmarkCertificate" URL or something
like that. This is simple, and makes it very clear to the client that only
one of the two expected certificates has been issued so far. But it may
cause breakage in clients that don't like unexpected fields when parsing
JSON objects, and it feels overly-specific: why should the entire ACME
protocol have to know about landmark certificates, even when deployed in
private PKIs that aren't using MTC?

2) Replace the original contents of the certificate URL (a standalone
certificate) with different contents (a landmark certificate) when the
landmark certificate becomes available. This is similar to ACME STAR's
approach (RFC 8739), where the contents of the "star-certificate" URL are
periodically updated by the CA under the assumption that the client will
poll that URL. But that RFC decided to create a new Order field
("star-certificate") rather than overload the semantics of the existing
certificate field, so we probably don't want to go back on that decision.
And there is no simple way to communicate to the client when the contents
will be replaced (note that ACME STAR does this with a whole new sub-object
on the Order).

3) When the landmark certificate becomes available, add a new `link
rel=alternate` to the certificate resource, indicating that an alternate
version of the certificate is now available. This is nice and simple, but
still gives the server no way to communicate when the landmark cert will be
available.

4) When the standalone cert is first downloaded, *immediately* include a
`link rel=alternate` pointing to a different URL where the landmark cert
will be served. When that URL is accessed, respond with a reasonable status
code and include a Retry-After header indicating when the landmark cert
will be available. Then the client can just retry that URL at the indicated
time to get the landmark cert.

This fourth idea is what we've discussed in the past, and is what is
described in the current MTC draft. I include the other options here to
show that they've been considered, and to illustrate why I believe they are
inferior to the current proposal.

Aaron

On Thu, Mar 12, 2026 at 10:53 AM David Benjamin <davidben@chromium.org>
wrote:

> Hi ACME folks,
>
> (I wasn’t sure about cross-posting etiquette, so I haven't CC'd plants@
> here. Rather, I’ll point plants@ to this thread shortly. Figure it’s
> always easier to merge threads than to split them.)
>
> For folks who haven’t been following, we have a new PLANTS
> <https://datatracker.ietf.org/group/plants/about/> WG! It’s definitely
> not just an excuse to make plant puns. The WG recently adopted Merkle
> Tree Certificates
> <https://datatracker.ietf.org/doc/draft-ietf-plants-merkle-tree-certs/>
> (MTC) as a starting point. This is all quite early (and obviously I’m
> just speaking for myself and not the group), but there is some overlap with
> ACME and I figure it's better to start conversations sooner than later.
>
> The draft has an initial pass at how to put them together here. Happily,
> it seems ACME is already rich enough to express what MTC needs, with
> fairly minimal additions/guidance:
>
>
> https://www.ietf.org/archive/id/draft-ietf-plants-merkle-tree-certs-02.html#name-acme-extensions
>
> Some context:
>
> These slides
> <https://datatracker.ietf.org/meeting/124/materials/slides-124-plants-solution-space-and-dispatched-work-00>
> from the BoF are a good starting point for how MTC works. The ACME
> interaction is that, for each certificate request, an MTC CA returns two
> certificates: a “standalone certificate” (large, immediate, generally
> usable) and a “landmark certificate” (small, delayed, not generally usable,
> optional). The CA...
>
> 1. Validates the certificate request.
> 2. Appends the information to a log, signs it, etc. This step constitutes
> issuance.
> 3. Constructs a standalone certificate that serves as proof of this
> issuance.
> 4. Waits some time (hours) for a “landmark” to be allocated.
> 5. Constructs a landmark certificate that serves as an alternate proof of
> this same issuance.
>
> MTC wants a way to configure ACME to deliver both certificates (one
> immediately and one that the ACME client can optionally retrieve later,
> after some delay), along with any metadata needed for the TLS server (etc)
> to select between the two.
>
> The current proposal is to use ACME's existing alternate URLs feature,
> modeling the delay with the HTTP Retry-After header from RFC 9110. (Another
> option is to make multiple orders. That would let us model the delay with
> the "processing" status, but since it’s one validation and issuance event,
> one order + alternate URLs seemed a better fit.)
>
> Thoughts? Is this a good approach to using ACME?
>
> David
>
> PS: This is not directly part of the Profile Sets proposal. I’m quite
> behind on my inbox and need to follow-up on that! :-) For MTC, the two
> certs correspond to one issuance event and are renewed together, so I think
> we want only one order. Though the problem space is definitely related and
> perhaps my initial guess at one or both was wrong!
> _______________________________________________
> Acme mailing list -- acme@ietf.org
> To unsubscribe send an email to acme-leave@ietf.org
>