Re: [Acme] Call for adoption of draft-aaron-acme-ari-02
Peter Thomassen <peter@desec.io> Mon, 30 May 2022 15:54 UTC
Return-Path: <peter@desec.io>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BAC6AC15AAD3 for <acme@ietfa.amsl.com>; Mon, 30 May 2022 08:54:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.785
X-Spam-Level:
X-Spam-Status: No, score=-3.785 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, NICE_REPLY_A=-1.876, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=a4a.de
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h67OBlQ9F4HZ for <acme@ietfa.amsl.com>; Mon, 30 May 2022 08:54:39 -0700 (PDT)
Received: from mail.a4a.de (mail.a4a.de [IPv6:2a01:4f8:10a:1d5c:8000::8]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9F11AC15AAD2 for <acme@ietf.org>; Mon, 30 May 2022 08:54:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=a4a.de; s=20170825; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:Subject:From :References:Cc:To:MIME-Version:Date:Message-ID:Sender:Reply-To:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=p4E+k5e1rnTCM3Rho78aUKM4t/X3m/ITMBbUPacwRrw=; b=ewG6BZdf//lsA3SAEhT1WGIB1w lmw1IYCV9b4daJ+wZPfAdQWta0EPnrctwGE4g3yJcaoFCCSC0sk2cYqw919eUQvdgksdQrtiIoRWj 2zhYMthQqjr7PJfz/5TNDgq/a7AEV27lUJ2Eotk1tBlzspapEbtGo8s4LXngnZR+2+w6g3E6aYnQy kdyXbJABL4gQZkHsmb0xZ1iCfjzO8/K0DIwF/jgblM5BmgudzxWEKIVAixjYjCEZFvABswVsBZ9xi 54tJ5zqAS/zeKaBB+cdjQXyM+kuVYFPZ7RQm+LTwG2MIQnKuaUdH7Sz+VqJ7n0oWYOsbEFIpHuLjq b579lTLg==;
Received: from ip5f5aec77.dynamic.kabel-deutschland.de ([95.90.236.119] helo=[192.168.1.171]) by mail.a4a.de with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from <peter@desec.io>) id 1nvhix-0007xH-Gx; Mon, 30 May 2022 17:54:31 +0200
Message-ID: <59df1980-2a2a-2e49-09fa-91c1fbef4563@desec.io>
Date: Mon, 30 May 2022 17:54:30 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.9.1
Content-Language: en-US
To: Deb Cooley <debcooley1@gmail.com>, IETF ACME <acme@ietf.org>
Cc: Dorothy E Cooley <decoole@radium.ncsc.mil>
References: <CAGgd1OevCu61rbCAOv1fcB-eFoRD6CMKnj=5Qy6XVqQroakR0g@mail.gmail.com>
From: Peter Thomassen <peter@desec.io>
In-Reply-To: <CAGgd1OevCu61rbCAOv1fcB-eFoRD6CMKnj=5Qy6XVqQroakR0g@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/zCX7hZHtC_PtMLuRQNvZW3HEDpQ>
Subject: Re: [Acme] Call for adoption of draft-aaron-acme-ari-02
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 May 2022 15:54:43 -0000
Hello, I have a hard time deciding whether the proposal is a good idea or not, because the document does not contain sufficient information for me to make up my mind. In particular, I only see a problem statement and a solution proposal, but no reasoning on alternatives and why the proposal is the way to go. This may be partly because I'm new to the list, but nevertheless, I think a document in general should present some arguments for its existence. (But I'm also happy with pointers to earlier messages on the list.) In particular, Section 1 states that clients renew certificates either a) at specific intervals, or b) a specific amount of time before the certificate's expiration, or c) when some percentage of the validity period has passed. I buy the argument that this causes problems with load spikes. Cases b) and c) may be alleviated more easily (in particular: with no client-side complexity, no protocol change, and no extra GET requests to the server), by smearing the certificate validity period, at issuance, randomly across 1%, e.g. between 100% and 101%, or between 99% and 100%. As a result, renewals would be attempted at random times of the day if the validity is at least ~3 months. In general, that is achieved if the smearing is designed to cover a full day. (This is assuming common web PKI validity periods. For very short-lived (~days) certificates, one would have to discuss whether such smearing would be too large a fraction of the total period.) Renewal timing could be randomized on the client side as well. This would also cover case a). While requiring a client upgrade, the ARI proposal does so as well. If it is expected that clients will be sufficiently upgrade-able in order to get ARI deployed, then what is the reasoning that the same thing can't be achieved with client-side smearing? I know that some clients do randomize, and it seems like that has not been successful, otherwise we wouldn't have this draft. Is that the case? Why? (And we should we have higher hopes for succeeding with ARI support on the client side?) IMHO, the proposal demands rather high cost (client-side change, server-side change, protocol change, extra requests). Having some arguments why it is worth it will make it much easier to decide whether it should be adopted or not. Best, Peter On 5/24/22 13:30, Deb Cooley wrote: > There has been some discussion of draft-aaron-acme-ari-02 on the mail list, at working group meetings, and the technical concerns have been addressed. > > Should the ACME WG adopt “Automated Certificate Management Environment (ACME) Renewal Information (ARI) Extension” in draft-aaron-acme-ari-02? > > Please reply to this message within the next two weeks, by Tuesday, 7 June 2022 to voice your support or opposition to adoption. > > On behalf of the ACME WG Chairs, > Deb Cooley > > _______________________________________________ > Acme mailing list > Acme@ietf.org > https://www.ietf.org/mailman/listinfo/acme -- https://desec.io/
- [Acme] Call for adoption of draft-aaron-acme-ari-… Deb Cooley
- Re: [Acme] Call for adoption of draft-aaron-acme-… Peter Thomassen
- Re: [Acme] Call for adoption of draft-aaron-acme-… Aaron Gable
- Re: [Acme] Call for adoption of draft-aaron-acme-… Melinda Shore
- Re: [Acme] Call for adoption of draft-aaron-acme-… Peter Thomassen
- Re: [Acme] Call for adoption of draft-aaron-acme-… Deb Cooley