Re: [Anima] [lamps] [Acme] Long-lived certificates, but frequently renewed certificates

John Gardiner Myers <jgmyers@proofpoint.com> Tue, 23 March 2021 17:17 UTC

Return-Path: <jgmyers@proofpoint.com>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CF2D73A0C86; Tue, 23 Mar 2021 10:17:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, MSGID_FROM_MTA_HEADER=0.001, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=proofpoint.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7jfWYhaCzMHA; Tue, 23 Mar 2021 10:17:12 -0700 (PDT)
Received: from mx0b-00148503.pphosted.com (mx0b-00148503.pphosted.com [148.163.159.21]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7311F3A0C85; Tue, 23 Mar 2021 10:17:12 -0700 (PDT)
Received: from pps.filterd (m0162102.ppops.net [127.0.0.1]) by mx0b-00148503.pphosted.com (8.16.1.2/8.16.1.2) with SMTP id 12NH6L1L028015; Tue, 23 Mar 2021 10:17:11 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=proofpoint.com; h=subject : to : cc : references : from : message-id : date : in-reply-to : content-type : content-transfer-encoding : mime-version; s=corp-2019-08-07; bh=Rq3RcGlpLiEclUAK+nhkOmzp6DtopRKqkUFxKQ355bQ=; b=AQ+hUYiR/AiH87OowB+72uJVmzz0EqGnqe4f/1FiDcz3Si0mzvnbBzK8RHt36BQiymhc 9q+IELTYuMBIDxm540N6ErZgG31JicbH6wn4llVl1UBqbsYYWa/PBRFb/Lc+jxRrBhUk zp9PehluwWxjJZfTNcU1+/xtZuswi+6fppmldVsBHJLZp0/ODBnxBFlv6JniwMgF6rZQ fewUJq9e6MzRF//7V5GUzxD8rlzkje7MJfKrBPTw0WwPU/EDAPfeFri+bW50G+LQ4JAF ex6o81oSahD86PXcjd2V2Kqb6CAdYV+nDB+7kHPg5sUS1pMdXotnxDXq/WB/4XvyxGeX SQ==
Received: from lv-exch04.corp.proofpoint.com (spf-mailers.proofpoint.com [136.179.16.100]) by mx0b-00148503.pphosted.com with ESMTP id 37e0vqs1u0-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Tue, 23 Mar 2021 10:17:11 -0700
Received: from lv-exch04.corp.proofpoint.com (10.19.10.24) by lv-exch04.corp.proofpoint.com (10.19.10.24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.2176.2; Tue, 23 Mar 2021 10:17:09 -0700
Received: from NAM02-BL2-obe.outbound.protection.outlook.com (10.19.16.20) by lv-exch04.corp.proofpoint.com (10.19.10.24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.2176.2 via Frontend Transport; Tue, 23 Mar 2021 10:17:09 -0700
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=fs061Sf2r/lajN76HJNado3aE9FsTp5+D4SSv3rj+4M+7i4oT4Rqc4o0d3zGhV2qcGaL0WC54hQVZPh4wLnon73Lu1+iL/mvjSEt7hs7gooPO1OLfWw8tSr6XFZGxB3bWrhwND0D3jOs9IsxLw9+80rgN1pVpwuUkDJqt3DlBhbcd/Nkv/KyO8l9lORgpcaAjw3o9cfKtTeeytdirtBwgUq7grwzlq++oPPkaH2R996tlE0yyddxpNN1nY5NHXIFxDdL9BWe9fXjpuzuGj9/uaO+IRgJ/PbIaJzN1ku/or1q5y8SO/f8drLjPsbHYTNA4HaXTHhiqg3EiD2iHI9TYw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Rq3RcGlpLiEclUAK+nhkOmzp6DtopRKqkUFxKQ355bQ=; b=cVkKRXTBGOVV4o5YCbbRgHvTxbXuLpWHCeHi4MvSTvq/fcFpOdG5aXZpbuxPACIbYJKzhcuz9eLh730feFecSEKjYoDSZnsTLSQZSsaRIy+6FkXykjl1BiK7J2orbr1kKi6bHKjbZGk+2X3vRdrVCLZ1pnCI3XJRZ57vloZBUzU9dYVPZi2aCV1qVueQZaTOqaLO3OxFV0SYXTTNFHQlxKaVCMVQNokeh1ZkPg68xzV6oFd9CV3Rcbn0QkJctOPMgpd867R+okBEQVkWi+uJumiQHhFCPh7L5aEqKCNidEOE83E3xM+hK7mGHgOMil6Oz5RFKd9EikSQmb0uVLFHLw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=proofpoint.com; dmarc=pass action=none header.from=proofpoint.com; dkim=pass header.d=proofpoint.com; arc=none
Authentication-Results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=proofpoint.com;
Received: from BY5PR12MB4998.namprd12.prod.outlook.com (2603:10b6:a03:1d4::11) by BYAPR12MB4773.namprd12.prod.outlook.com (2603:10b6:a03:109::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3955.23; Tue, 23 Mar 2021 17:17:08 +0000
Received: from BY5PR12MB4998.namprd12.prod.outlook.com ([fe80::6c83:a2ab:c31f:1a46]) by BY5PR12MB4998.namprd12.prod.outlook.com ([fe80::6c83:a2ab:c31f:1a46%4]) with mapi id 15.20.3977.025; Tue, 23 Mar 2021 17:17:08 +0000
To: Michael Richardson <mcr+ietf@sandelman.ca>
CC: <spasm@ietf.org>, <acme@ietf.org>, <anima@ietf.org>
References: <20210318130241.A6B44389A8@tuna.sandelman.ca> <22886.1616091336@localhost> <55529652-7455-8bfb-6436-7b269be4a421@proofpoint.com> <31484.1616261957@localhost>
From: John Gardiner Myers <jgmyers@proofpoint.com>
Message-ID: <6d50f760-765e-0de9-77e3-39530490cd66@proofpoint.com>
Date: Tue, 23 Mar 2021 10:17:05 -0700
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Thunderbird/78.8.1
In-Reply-To: <31484.1616261957@localhost>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Content-Language: en-US
X-Originating-IP: [208.86.202.9]
X-ClientProxiedBy: SJ0PR13CA0217.namprd13.prod.outlook.com (2603:10b6:a03:2c1::12) To BY5PR12MB4998.namprd12.prod.outlook.com (2603:10b6:a03:1d4::11)
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
Received: from 35xrpq2.corp.proofpoint.com (208.86.202.9) by SJ0PR13CA0217.namprd13.prod.outlook.com (2603:10b6:a03:2c1::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3977.9 via Frontend Transport; Tue, 23 Mar 2021 17:17:07 +0000
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: df84f360-2ca5-47a1-a995-08d8ee1f7cbe
X-MS-TrafficTypeDiagnostic: BYAPR12MB4773:
X-Microsoft-Antispam-PRVS: <BYAPR12MB4773A7CD9F138EDB16F31F98C0649@BYAPR12MB4773.namprd12.prod.outlook.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:8882;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: SoV8YqdTZZwWAMssGZjcGC8RJx4weJYkvRBTqT0c6WeOXjhtU+TvLZV3YAYawdncVRqjneRD3A/CuvFvcNpLFA+JQ/1qMC278zkH/0ft2NpL2XdmgSngvkUtw91IqNOy2QL8ZMhdgMPhwdi6cKtFVckdjsRXVMY9wDikxx+ausIV+7MjovcngQkxZpH3Y21Vvvnp6sYT9xsYHFZLnfEc2p5aRaNFPFCZu+88WVDF4hrHX28I1XUzT6n4EXcKLgMPvyZ1fMLKXMTnAwJ7lps6SqOf4NYRlaqYuVq9VXy6OtQda6PXX2faWO/Ijd/lO7dgEniT6t0B8r+ALBZv5Q1nkFDd9r4M6/bd5L9JFz99LVtSifrxtYO+uQgRs6EhQo5O5T6azTj7rFIXYM+zMt5cq30QL7ecjXTZ50cOJsy98sTrtp1t1frw19qB6hEhEZQUe3W9pZbOva3dKBtQshC65To/EX4Pa8bArhLDtCimUC1YuWL3UNXKICTi2NXRk2iG2hqo55sBef51pk/NuvTJURR6XDCd14h+dx0Vmsnx0B1bSjg9BYOoocbxgvr6cTVbqBdvdOE45kCl7lnkm+WRvmjyD6rfjFboRFq2upJFw8UGI8b8dpFG0taNYLG8YTS/EO59IyuQNpwWp4jWXM83PLKE40AUy4LM/1nwwzSiFdqEvsSrx3/Lx/v87IQOQ4y5Rt2dQP89kEvZHvJhzObd65TLq8l7ULykpz62w2q1C08=
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BY5PR12MB4998.namprd12.prod.outlook.com; PTR:; CAT:NONE; SFS:(396003)(366004)(376002)(39840400004)(136003)(346002)(8936002)(83380400001)(86362001)(16526019)(186003)(2616005)(6486002)(956004)(36756003)(31696002)(26005)(4326008)(2906002)(316002)(478600001)(66946007)(66556008)(38100700001)(5660300002)(53546011)(31686004)(8676002)(7696005)(66476007)(43740500002)(45980500001); DIR:OUT; SFP:1102;
X-MS-Exchange-AntiSpam-MessageData: =?utf-8?B?cXRxUDNBUFFnRW4zSVJqQk1QcGIvejhqYitJSEhPS2tSZHI3WDUyWkVpeWdh?= =?utf-8?B?U0lJTTIyTW42WTc4ODBBMWVNZEhqdkxxNE1Tc1RsQzV6MncvTTgybTd2MC9E?= =?utf-8?B?M3JEM1dIV1lCaUZJNno5S1o5TysrR29HTWdNR3hoYlRWTzlGYXduRlpMa2NZ?= =?utf-8?B?ZW0xNW5mOS9QOVBJVjF1TS9ma1pDS3lJQ2xmK0FhU1pxekpEV2t6RmxvOHdD?= =?utf-8?B?NXE2Y3ZLa3FmUUNhSjRkci9vZktwTVprNk1xSjRna09DYW1kdEdlVkVZMk9h?= =?utf-8?B?OGdzVG5IM0pYZ2NtOVd1RmZzcU54Ylp4U0NuSEV0TmplempGbHVGUWQ2VHBI?= =?utf-8?B?alZ1R0RGRmFlbkZML1dsWS8xemdmZEFjUTM1ZGpxMlpuTitFdlJ3SXBqVGVH?= =?utf-8?B?S20xbG9OS2d1ais2SHQ4eThzckZXV0I4Q0EzWmNxTFFCV1QrMEcwQ25lZ2pS?= =?utf-8?B?WUp4eTh2aHNERjNpZktKbURaMDJHWWRxL3NxSS9BK2s1bENwWlpEWWQ3Yk5L?= =?utf-8?B?UW5ud2RUZ1M5TUZqSytPSXJVZ2xKQjFQekdVSmltOFdkRVBsNTNlNkxrNG1z?= =?utf-8?B?Z0pycURDOTJFOEpweGd2MUpTWGhaallEZnZEUlVrdkQ3T05ZbXYwc0I1WTBO?= =?utf-8?B?Mlc4ZXVjQVdkU3ZRVThCYmhqZGFPck5YMXUvV3VJOVRrNHIzeUN2STVHMldn?= =?utf-8?B?Zy9HaDl3MlVOOEp2VXVjSmxYNkI1WWp5VEFJWDhCcG9xRWJXQjBYMEhhc3dV?= =?utf-8?B?YlhlQWV4SGRFQ0N3ZWdlMWE0em1GT01NVGlKRlhmbDBqRDAxaGQ0YWNuSldI?= =?utf-8?B?Y3FHWTVaWFc5YWVCMVZyTU5LOWVCOHlsSHBqRWM2eCtCRVQyblphTndYdWlJ?= =?utf-8?B?UWxTQXhCNW9PYU9SdFFGdmlZMndZL3c2MjMrWmpaUTU5UmFpdmZOb0FZWHdN?= =?utf-8?B?MFBRdEJWeWZibllCMjA4aDFyd2JWQnJ2di9kVE9TZnltbTZObGVuWEs0M1Ev?= =?utf-8?B?NVFhQU9Ud1FkZXE1OGlEZVFtZEVrK1l2K1FRZHNzOUdSa3V0Znd3Y1F0UFRM?= =?utf-8?B?U2x1WFVPQ1lLZDZPa2FqUUdZRVFIOEdpNUlNdyt2M3lUOExBUGVRS2grRDVN?= =?utf-8?B?SUUzaStlby9mT2dLdnpDMEYwT1doMGduamlXM00zWVJvRlhYM3QvYUNxKytp?= =?utf-8?B?czhERUtGZ1JzK3BtWGVybFJnSVNCUEIwNHd3ekY3Y20xR1hOZE1XZVFKdW5M?= =?utf-8?B?YzlIcExqZUNjbWN6N081bUhQd3JaWWRDSkdpV3RkOFY4OXlTc3BOcDlvUUk4?= =?utf-8?B?YTFBVThiTHpDa2xaOFRLTFRPMG13NlBQSnVESU13cmJIdjQvL3I1SzlGUUxK?= =?utf-8?B?TWMwbm9IaElnL2RQUWlRa0duajlESDhaSi94eVNBZ0JTb0RKb2ErOExtZVJk?= =?utf-8?B?Z21nd1ZSSVl1Tm9lNU53SUswdVljc1QxOTlPUmtDK2trbTRVTHFKRXA4bmNv?= =?utf-8?B?VUw5RFlzNW9zZ1RkMkhJRmxaenFGV3ZWdmFDQ0Q1dXJvMThxUFNMTVlCQzBn?= =?utf-8?B?MUt1N0xsWEY5ZjhUOTdSWTl1MzhPcG42aDdmK1huWlh4NW4xdDhibW5ZYjQ3?= =?utf-8?B?NUJ1cEcrUUNpMWFOYzl5UnBiS0hxWE00RW9jUHRmRm1YZFlMbmdjWXFhM1Nl?= =?utf-8?B?M2pobTN6eEJiVWwza0xOdDVUNk9hdVBoTUUxQkJNc3JPQVMySkgzQzZsbE5D?= =?utf-8?Q?pOA+Bk2eczCtEpFFUM3ksoD4yeyCoLtdqvM7OWe?=
X-MS-Exchange-CrossTenant-Network-Message-Id: df84f360-2ca5-47a1-a995-08d8ee1f7cbe
X-MS-Exchange-CrossTenant-AuthSource: BY5PR12MB4998.namprd12.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 23 Mar 2021 17:17:07.9163 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 46785c73-1c32-414b-86bc-fae0377cab01
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: L05HT69Hlx+pHWXIe+HU1LkAp74RjspQ80fgFGVplCyZzNv079RlgbQi78rFCmR2rhSDVKSaExSufVOKhbunKA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR12MB4773
X-OriginatorOrg: proofpoint.com
X-PassedThroughOnPremises: Yes
X-Proofpoint-GUID: ZiIf0GGMd0kpoQFoPQJlCJnWNwElbjfM
X-Proofpoint-ORIG-GUID: ZiIf0GGMd0kpoQFoPQJlCJnWNwElbjfM
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.136,Aquarius:18.0.761,Hydra:6.0.369,FMLib:17.0.607.475 definitions=2021-03-23_07,2021-03-22_04,2020-04-07_01
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxlogscore=657 suspectscore=0 bulkscore=0 clxscore=1011 spamscore=0 adultscore=0 priorityscore=1501 impostorscore=0 malwarescore=0 phishscore=0 lowpriorityscore=0 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2103200000 definitions=main-2103230128
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/Kxdkk8vd60egGojj8IOmp3d3Bhg>
Subject: Re: [Anima] [lamps] [Acme] Long-lived certificates, but frequently renewed certificates
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Mar 2021 17:17:17 -0000

On 3/20/21 10:39 AM, Michael Richardson wrote:
> John Gardiner Myers <jgmyers=40proofpoint.com@dmarc.ietf.org> wrote:
>      > I would frame this in terms of impending revocation. Consider the case, as
>      > has happened in the past, where a CA discovers that there is a problem with
>      > some or all of the previously issued certificates requiring the CA to revoke
>      > said certificates within a few days. How can the ACME client managing renewal
>      > learn from the CA of the need to renew prior to the revocation, so to avoid a
>      > service interruption?
>
> Would this signal occur at the time of issuance, or are you thinking that it
> would occur some time into the validity period?

It would have to occur some time into the validity period as the time of 
revocation would not be known at the time of issuance.

Roland Shoemaker's ACME proposal resonates with my thinking, with one 
exception: since an ACME client typically manages a stable of desired 
certificates and the lack of any recent or impending revocations is the 
common case, it might make sense for the client to query "are there any 
unexpired certificates issued through this ACME account that are being 
revoked soon or recently?"