[Acme] Re: ACME and PLANTS
Ilari Liusvaara <ilariliusvaara@welho.com> Fri, 13 March 2026 13:07 UTC
Return-Path: <ilariliusvaara@welho.com>
X-Original-To: acme@mail2.ietf.org
Delivered-To: acme@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 26429C96092D for <acme@mail2.ietf.org>; Fri, 13 Mar 2026 06:07:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=welho.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DV1_B0RuALVG for <acme@mail2.ietf.org>; Fri, 13 Mar 2026 06:07:52 -0700 (PDT)
Received: from smtp.dnamail.fi (sender001.dnamail.fi [83.102.40.178]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 92A9EC9607B3 for <acme@ietf.org>; Fri, 13 Mar 2026 06:07:34 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by smtp.dnamail.fi (Postfix) with ESMTP id 64A752113E17 for <acme@ietf.org>; Fri, 13 Mar 2026 15:07:33 +0200 (EET)
X-Virus-Scanned: X-Virus-Scanned: amavis at smtp.dnamail.fi
Received: from smtp.dnamail.fi ([83.102.40.178]) by localhost (dmail-psmtp01.s.dnaip.fi [127.0.0.1]) (amavis, port 10024) with ESMTP id QxTvWPIPhewI for <acme@ietf.org>; Fri, 13 Mar 2026 15:07:32 +0200 (EET)
Received: from LK-Perkele-VII2 (87-92-117-27.bb.dnainternet.fi [87.92.117.27]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: hliusvaa@dnamail.internal) by smtp.dnamail.fi (Postfix) with ESMTPSA id D24EE2113E14 for <acme@ietf.org>; Fri, 13 Mar 2026 15:07:32 +0200 (EET)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp.dnamail.fi D24EE2113E14
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=welho.com; s=2025-03; t=1773407252; bh=SVszM9LLS2AHqwpBiT3YPijUjfE14eYc76e8IRh8/vg=; h=Date:From:To:Subject:References:In-Reply-To:From; b=Dnlj0KNN0kFpUlf+6K51erxwGWySr+pGLvCogsyvI+LueRBLIhY+HgppWjo//OTSr HSf5mOCz8C8MfTh7axu1A9g7yIcxRrXOE9znqzxWf5LlYzHOuOot9pQE2GWSDgAww6 Yx6WvC2Gd1gtoqPUwzk51rM1dBPuvPOe+sDRJw+V11/dP2ULe09wfAO+uEE/cOHjRE hownGl1JlmFc532Kx0QTl0GzVRdN4wShW7hDxEfKKRqG2r8h9aopx+yyqHxR8MKhYf toSMiKn1zjHZ4vdcflPBClwBIaYWxJxT0WSowOOf4S6ykdZsEtHTeMGlVXDp8mZxtF ngDop8Z41YOjA==
Date: Fri, 13 Mar 2026 15:07:32 +0200
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: IETF ACME <acme@ietf.org>
Message-ID: <abQMFLcg4Y0Q_yjv@LK-Perkele-VII2.locald>
References: <CAF8qwaApZbT5C1q3-g5yTPxYJTuJeZqMgb=_Gu=hqYRnrtiJkA@mail.gmail.com> <abMdm49TFzXz5K4H@LK-Perkele-VII2.locald> <CAF8qwaCfV8G52oGMbuktBZ_-mvmaPghD5Zi_eZpdrad_+E3R4Q@mail.gmail.com> <CAKZgXHp3_EhLRQkwn79JK0p=cAC_816RYzmU=Y-sFQer16WCcg@mail.gmail.com> <574.1773382260@obiwan.sandelman.ca> <CAF8qwaBF2QbPJjrhJrLqddShKUGTizAt2Ho1QQCrUuCn4+K8cQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <CAF8qwaBF2QbPJjrhJrLqddShKUGTizAt2Ho1QQCrUuCn4+K8cQ@mail.gmail.com>
Sender: ilariliusvaara@welho.com
Message-ID-Hash: ZXRY3RMN4NWB3QGEYWBO2LZ5GPKBZGWM
X-Message-ID-Hash: ZXRY3RMN4NWB3QGEYWBO2LZ5GPKBZGWM
X-MailFrom: ilariliusvaara@welho.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-acme.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [Acme] Re: ACME and PLANTS
List-Id: Automated Certificate Management Environment <acme.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/zhN_BdJOQp8NKnJPlY9QkKD3Llk>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Owner: <mailto:acme-owner@ietf.org>
List-Post: <mailto:acme@ietf.org>
List-Subscribe: <mailto:acme-join@ietf.org>
List-Unsubscribe: <mailto:acme-leave@ietf.org>
On Fri, Mar 13, 2026 at 04:02:00PM +0800, David Benjamin wrote: > > I'd certainly lean towards smaller changes over big ones. That seems > generally easier for folks to adopt. There seems to be a pretty good > analogy to the existing alternate chains thing. However, even if change looks small, it can still be very hard to adopt due to increased complexity. > Different paths to the same leaf certificate are acceptable to different > relying parties, depending on what they trust, but ultimately describe the > same issuance event. Similarly, standalone and landmark certificates > ultimately describe the same issuance event (thus one order), but different > relying parties will accept different of these. And then the trust anchor > IDs machinery replaces the heuristics with something well-defined. > > The only new thing is that one alternate takes some time to become > available, hence the Retry-After idea. (Not necessarily the only or best > way to spell this, but that was some of the thinking behind this particular > idea. Aaron posted a more complete list of other options. This one feels > the most natural to me.) Alternate becoming available later is one of those changes that look small, but have major complexity impact. And that is not the only new thing. With alternates, the client chooses only one, with this it uses both. -Ilari
- [Acme] ACME and PLANTS David Benjamin
- [Acme] Re: ACME and PLANTS Ilari Liusvaara
- [Acme] Re: ACME and PLANTS David Benjamin
- [Acme] Re: ACME and PLANTS Mike Ounsworth
- [Acme] Re: ACME and PLANTS Michael Richardson
- [Acme] Re: ACME and PLANTS Michael Richardson
- [Acme] Re: ACME and PLANTS David Benjamin
- [Acme] Re: ACME and PLANTS Ilari Liusvaara
- [Acme] Re: ACME and PLANTS Ilari Liusvaara
- [Acme] Re: ACME and PLANTS Michael Richardson
- [Acme] Re: ACME and PLANTS Aaron Gable
- [Acme] Re: ACME and PLANTS Ilari Liusvaara
- [Acme] Re: ACME and PLANTS Ilari Liusvaara
- [Acme] Re: ACME and PLANTS Aaron Gable
- [Acme] Re: ACME and PLANTS Ilari Liusvaara
- [Acme] Re: ACME and PLANTS Jacob Hoffman-Andrews
- [Acme] Re: ACME and PLANTS Seo Suchan
- [Acme] Re: ACME and PLANTS Aaron Gable
- [Acme] Re: ACME and PLANTS Michael Richardson
- [Acme] Re: ACME and PLANTS Ilari Liusvaara