Re: [Acme] Proposal: ACME Profiles

Christopher Cook <> Thu, 31 August 2023 04:39 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 0D49CC15C509 for <>; Wed, 30 Aug 2023 21:39:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.904
X-Spam-Status: No, score=-1.904 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id hF3Vs9REXqaG for <>; Wed, 30 Aug 2023 21:39:02 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 2731CC15256E for <>; Wed, 30 Aug 2023 21:39:01 -0700 (PDT)
Received: from [] (unknown []) (Authenticated sender: by (Postfix) with ESMTPSA id 2960DC5A26 for <>; Thu, 31 Aug 2023 05:38:54 +0100 (BST)
Message-ID: <>
Date: Thu, 31 Aug 2023 12:38:57 +0800
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Content-Language: en-US
From: Christopher Cook <>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <>
Subject: Re: [Acme] Proposal: ACME Profiles
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Automated Certificate Management Environment <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 31 Aug 2023 04:39:06 -0000


For context, it was myself who was interested in ACME CAs advertising 
their supported features via the directory or a capabilities endpoint, 
my client has an unusual emphasis on multi-CA use and automated CA fallback.

Aaron's proposal does actually complement that because in the future an 
endpoint could still exist which defines the features supported by a 
profile. e.g. things you specifically need or things you can ask for 
that will allow your order to proceed without it blowing up. These 
include: supported key types, supported min/max lifetimes, included 
EKUs, is-publicly-trusted-by-browser-root-programs, supported 
identifiers (dns, ip, Stir/Shaken TnAuthList etc), identifiers profiles 
(like single domain, multiple SAN, domain+www, single wildcard, 

I agree it's a stretch to try to include these at the moment but 
hopefully at some point in the future an ACME CA should be able to 
advertise what it can be used for. The purpose of that is to be able to 
select a CA from a whole bunch of candidates and have reasonable 
confidence that they are both compatible with your order (or one of 
their profiles is) and will give you a cert with the features you need. 
I agree this is out of scope for most clients.

Christopher Cook