Re: [Anima] [Acme] Long-lived certificates, but frequently renewed certificates

John Gardiner Myers <jgmyers@proofpoint.com> Thu, 18 March 2021 18:45 UTC

Return-Path: <jgmyers@proofpoint.com>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1A4FC3A31A8; Thu, 18 Mar 2021 11:45:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, MSGID_FROM_MTA_HEADER=0.001, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=proofpoint.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4aFXqB6TwLJm; Thu, 18 Mar 2021 11:45:37 -0700 (PDT)
Received: from mx0a-00148503.pphosted.com (mx0a-00148503.pphosted.com [148.163.157.21]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 62EA03A31A7; Thu, 18 Mar 2021 11:45:37 -0700 (PDT)
Received: from pps.filterd (m0162103.ppops.net [127.0.0.1]) by mx0a-00148503.pphosted.com (8.16.1.2/8.16.1.2) with SMTP id 12IIf5x3024957; Thu, 18 Mar 2021 11:45:36 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=proofpoint.com; h=subject : to : cc : references : from : message-id : date : in-reply-to : content-type : content-transfer-encoding : mime-version; s=corp-2019-08-07; bh=3Ojv3hLWS3tnPBMPRR7Edaww30Kjsn9NPdKNa63cqXs=; b=TQEr59pBGSPKQP81S5NKlKy9N5jdVJBlf17ArzKfhWVYBXaGqWNj+j7AyFv8c4h1r8B4 tetfkh7gvGYszBDA/jbR8wSVkR54ykLLCF+/6Km/wnkBnmMow4ANcL7qzDw/eAly61KJ x4AA5iTz4se0CPa6KMiZ0o1nnHPErnNItgmbvRUoEKnXTH9HWVFiU4mC6cpoSk9Htkt+ I8YYn3KW7Mw6e03W+BadYArE1U6m0OwUITa4GM52buSumWhE1zjqSmYsTC+qQzYDwIcj V9BIzF1+flTTYED1AjVGWo4CDW7O+AjhEHH0KcbQHN3QZPPbwCRENULpAtKQ/3Sldxfo kQ==
Received: from lv-exch04.corp.proofpoint.com (spf-mailers.proofpoint.com [136.179.16.100]) by mx0a-00148503.pphosted.com with ESMTP id 37cawt01k4-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Thu, 18 Mar 2021 11:45:36 -0700
Received: from lv-exch04.corp.proofpoint.com (10.19.10.24) by lv-exch04.corp.proofpoint.com (10.19.10.24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.2176.2; Thu, 18 Mar 2021 11:45:35 -0700
Received: from NAM02-DM3-obe.outbound.protection.outlook.com (10.19.16.20) by lv-exch04.corp.proofpoint.com (10.19.10.24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.2176.2 via Frontend Transport; Thu, 18 Mar 2021 11:45:35 -0700
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Dh4WtpoHE9UrIWI2Xs3aG0VznGRZQs/SfkoXYdPBXX/kpq9Mh6VGPb0z9CDjfwzJU4cjI/6CS3uKS2I+mYgFCCdV/SxMvxPBY0ZM2ECn+UrReL4HvutdFJ1kcKGKleRXD7ig3eluEHRh5XGlHuuzS0LN2c1EU8iL5o0+U8mKpZJA3vKS9GnnlOasKizPANs9xjqHe5bpIWv6bkIN3RcqRPrWkmlYgxnCpMt5GEiY/tz+0b6vfL6hR6C87JwfUi94W3EQrshhQMJ2cCQnsqJqWOiA9gX6CxpX/cZVHMXwmSHrYiMKMiGbKM0zL950IwYXQZD4dfnd6BuwQ7y0VIyKIw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=3Ojv3hLWS3tnPBMPRR7Edaww30Kjsn9NPdKNa63cqXs=; b=Ag3vJeW5vRsdAQdpeU5HqoGfzOY+cM9BebWFsBjK2YKnVHDrqNx44k2Pr+bAsT78ubj7C7UtewLyJgGofZ3ZOoViAmJde3jCHvCYCoSjd4hBGlK3HlgW/2br0djpO+JhsrCqRO+0TafmrGk6Eup2OqIKEvFfT7bChacJIvuXRAYkxNMPR6XNU0CEZtmUTmVkD/XBJSJZZ3hf6FDiwboJoS/FbaR3h43Y/aeBwj4+V6zPiSsn+kMquAM0rcFhlPOYp93cIoFuKhhaQmqxEko5y8rGP5/0wglYa8Ewy7qWfrgxIIvXNYL5gq6Fvy0G866vKejJCKf0jEkb0wIRljd25A==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=proofpoint.com; dmarc=pass action=none header.from=proofpoint.com; dkim=pass header.d=proofpoint.com; arc=none
Authentication-Results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=proofpoint.com;
Received: from BY5PR12MB4998.namprd12.prod.outlook.com (2603:10b6:a03:1d4::11) by BYAPR12MB3063.namprd12.prod.outlook.com (2603:10b6:a03:d6::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3955.18; Thu, 18 Mar 2021 18:45:34 +0000
Received: from BY5PR12MB4998.namprd12.prod.outlook.com ([fe80::6c83:a2ab:c31f:1a46]) by BY5PR12MB4998.namprd12.prod.outlook.com ([fe80::6c83:a2ab:c31f:1a46%4]) with mapi id 15.20.3955.018; Thu, 18 Mar 2021 18:45:34 +0000
To: <spasm@ietf.org>, <acme@ietf.org>
CC: <anima@ietf.org>
References: <20210318130241.A6B44389A8@tuna.sandelman.ca> <22886.1616091336@localhost>
From: John Gardiner Myers <jgmyers@proofpoint.com>
Message-ID: <55529652-7455-8bfb-6436-7b269be4a421@proofpoint.com>
Date: Thu, 18 Mar 2021 11:45:32 -0700
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Thunderbird/78.8.1
In-Reply-To: <22886.1616091336@localhost>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Content-Language: en-US
X-Originating-IP: [208.86.202.9]
X-ClientProxiedBy: SJ0PR05CA0092.namprd05.prod.outlook.com (2603:10b6:a03:334::7) To BY5PR12MB4998.namprd12.prod.outlook.com (2603:10b6:a03:1d4::11)
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
Received: from 35xrpq2.corp.proofpoint.com (208.86.202.9) by SJ0PR05CA0092.namprd05.prod.outlook.com (2603:10b6:a03:334::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3977.9 via Frontend Transport; Thu, 18 Mar 2021 18:45:33 +0000
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: f93479d2-1ccc-45e9-6fbf-08d8ea3e036e
X-MS-TrafficTypeDiagnostic: BYAPR12MB3063:
X-Microsoft-Antispam-PRVS: <BYAPR12MB306307BCEFEB2AD64F5702A4C0699@BYAPR12MB3063.namprd12.prod.outlook.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:8273;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: aBLDw86Ly2GtmYEDXGM3ZlUD5DVwGLTW7S03DZXCjk4ZzRLp3dXas5Y3sKcXGGEW4BbY6GDVd3xAR1Ll59dDI0YZTan8+hPYgt8VYM4kdRwlHTUQh0FALj8sDBxAkv2i6WQJqxp+JTkm3qNaYlCv1n7+q3CadYlsTtPQPNioWqnRujNHtmK8H4mRWD8Ht5+HY2JKTWXDn61BPizlC5jwXPwMcqJ46PyfeR5XqRGW34eDLv6HcCOuIc8LMDdaO6gZL4Bzvii+2SETxFZCE9m7wA8BGgyhD9XbCWXK0OHPFQnZCDYGuIu0bPX533cCBT5SWSn1dVdBNtOcYdKy0+YcvD//Cx76SzErMKYg4DDDe0Z9u6qiLmM2Uq587jbTDG8THI+eaKZIfQ27idzXTi6WL/zop0pyPcAbkOtszSmJVQsyNRWX1XIEliWDhRZUcyOKlHlUtY31YukZ57Q3oHbp877YdwX1yJRY/aBnciw9lvGVEg/2Wg2AYtpskRLfEZ4E2DP819lDYwb+6QPQ4hw0Vdnspaw9/oh/wZUOh64mH4TCS71kkFOUPtFAz+PI4ZKTFmaeiuICxRAVdcbjzLewkbIdl22HRDOKjUWWbOgSpCj0nyXMEqlBo56q7RYlCjgZYn1g50Q17CmFi3R2saqMaGVr0ULJyRCbJdDUbxU3OrdYwRE3c2UmYqxXOgcqU+5e
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BY5PR12MB4998.namprd12.prod.outlook.com; PTR:; CAT:NONE; SFS:(376002)(396003)(366004)(136003)(39860400002)(346002)(16526019)(2906002)(26005)(186003)(66946007)(66556008)(478600001)(66476007)(38100700001)(5660300002)(31696002)(53546011)(31686004)(450100002)(7696005)(316002)(6486002)(4326008)(4744005)(2616005)(956004)(86362001)(8936002)(8676002)(36756003)(45980500001)(43740500002); DIR:OUT; SFP:1102;
X-MS-Exchange-AntiSpam-MessageData: =?utf-8?B?eFU5eUZ2M0xuVmFVR3E2T0FVaUJST2Y4SE5GQ09nU2o0U1VLVWl4QkdUMzhP?= =?utf-8?B?WFZiR0NFTmNuSW9YVmxuUVBFMFpQdkk3QUF1d2l2anBDOE1OY0NDSUFEQyt3?= =?utf-8?B?R1B6VzJlQXFCNGVpOCtuUVhqSUFyWjJYTHZEelZPMFhoa3NTdUZmTXgzUW1S?= =?utf-8?B?YndxVDljWE9mc3JIbno4RFdDZFRmTkx1TDJuU2FKOTBlVkg4R0s3MnBnYUZN?= =?utf-8?B?cFdCeGsxMEFBc0szdnN3NW1mbFJYa0YyK0IvVThFYXg0Mm5OMTRiZGV5L3Zv?= =?utf-8?B?cHlQKzY4cnp4cUhmbklUcG4rK09vMDNkWUtBOEgwUTExY01iZzFSSCt1SzR6?= =?utf-8?B?OE43bWNPcjB5UnpiZ3A2YmFVRnVyRXV5aDJnQm1GMldIbDNBSzVHTGV5L3BL?= =?utf-8?B?N285b1J1M28xK1J2VUpCTTExdnh1YTg0TllRVkRyc3ZhY1NFQ2xwNzdVUnY3?= =?utf-8?B?dHlOZWVHdjZTNmd4QkpWTnQzbmNSb1dEcUIwZzhxVzBLVXFmU0lmMXNkRHQ0?= =?utf-8?B?KzlPcm00d3hlQjNlNjFadWtXVEt6UkUvSC9MeFVLSFA3T1JidG9GT1ZTRnRj?= =?utf-8?B?a09qL0FtSzd4QU5lNlpyWFpYV1hMMERMZStQVlhsZmtMZTdBM3lTK1BPL01D?= =?utf-8?B?V1k3bWYzaVh4cWdmd0tSMFZ5ek1NdmkvWVJ2dWg0UTNHVWpxcmk0anB3MG9Y?= =?utf-8?B?ZERjeGFPTEN1TEMvcVZ0WEFOTmU2U3d3K1lFU0w1TVdCd0h5ZC9wMElWNWFa?= =?utf-8?B?VUlKU1JSdmpndUh0cTRoaGtHdXphMG1aMXVjcFd0WEs2bXBzYnVzdTVMVEtm?= =?utf-8?B?SndNVnVLVzlFODRHRzJiMXBjSi90Wjl3Y2VLUno4Q2ZzRURnUE9tVVBkV3hL?= =?utf-8?B?MEcyck9aVS9FZTNYOFJ1SmJZek1KS3JIdWo4elhKS1RkLzBLUG9YKzRiUXFp?= =?utf-8?B?dXl6QmF3MjJCbGFZb3Z3UXJycHV2cEhIZkVQSTNWUFl4ampaZU4xTXVoSXVM?= =?utf-8?B?NDl1Rnh0WHRlQ2x3SzRVVDA2V05iMjZVdzdIMWdXZEdPejFLT3NWdTE1cGR4?= =?utf-8?B?d2hkeVpoRWxwakFWRjV2K2xIdXJMbWw3ZGl5SVh1cFVEVlA1MXNJNlJuUzBz?= =?utf-8?B?SGx6NURzRnVlcGhGTlJKK29hWmZCTW5JbFVZdGtHTlZmTmRYRk5TRlpQayti?= =?utf-8?B?Si9kMWliZ1FJRTB3WHJrblQwU2ozanF0NEhkYTdoQVdxY1hzM3Q4bmF6SGJi?= =?utf-8?B?ZU9YOFBJTGlrV2pQMDRHcnlhR2ErbkNxKzBDcTQzZ1M3RDhmYkIyUVhVamI5?= =?utf-8?B?b1JUQUFON09KTGZEVU1aekVwVEFIUTE1MnlmT3VkRGNOUGd2LzlSWDRaTGcr?= =?utf-8?B?dHlCQlJXSk53M0tZMVIzblFPam9OcjBqTlpxVzhtczArS1VGdDl2a1k5Tld0?= =?utf-8?B?UVBjanBMbjlpa0Q4eVdoL05aVmcxRm5YQUNST2lqMEhNQ0JlYWZIdWoxUWlG?= =?utf-8?B?NnlFNzc1N3liL0pGaU5laDI0aXJzQUxZN3VvL2NWN1ZHWkozaUtnVk1maU1r?= =?utf-8?B?b2p5TVROT0dwSmxxTHBzU1E4d1U2eTJMRVZ4S3UzTzdoMjl1UFRDcUxVRE1Q?= =?utf-8?B?S0x5aGZSbjVYa3BEZ3Y1cGY4SWtGa2hkaHprc1hTZ2VVWTFNcTdVZkJRTFox?= =?utf-8?B?bTAzS1V1MFNsSFNjWjBwcmE1RHVGcFNHYkdiVUExcU4xS1BOU3Q3TkVmbXdw?= =?utf-8?Q?re8JJWqSPBhBs9OZPqjfEJBQz9xdM8wLLbhBM/n?=
X-MS-Exchange-CrossTenant-Network-Message-Id: f93479d2-1ccc-45e9-6fbf-08d8ea3e036e
X-MS-Exchange-CrossTenant-AuthSource: BY5PR12MB4998.namprd12.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 18 Mar 2021 18:45:34.1835 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 46785c73-1c32-414b-86bc-fae0377cab01
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: 3g8jOdTmpyu0w+kj1UYmcY3ArfALAzI20pheE/9b381lC7Xs3GiTRbGmD22MXPWFepZam/PcuJYA7//Y4Y4Oaw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR12MB3063
X-OriginatorOrg: proofpoint.com
X-PassedThroughOnPremises: Yes
X-Proofpoint-GUID: s1X3tZsnAU40JkrJYAhjxlV0Sd_BTzq0
X-Proofpoint-ORIG-GUID: s1X3tZsnAU40JkrJYAhjxlV0Sd_BTzq0
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.136,Aquarius:18.0.761,Hydra:6.0.369,FMLib:17.0.607.475 definitions=2021-03-18_12,2021-03-17_04,2020-04-07_01
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 impostorscore=0 adultscore=0 malwarescore=0 phishscore=0 clxscore=1011 suspectscore=0 mlxlogscore=500 spamscore=0 priorityscore=1501 lowpriorityscore=0 mlxscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2103180000 definitions=main-2103180132
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/hAXDXzDi8jjh0UFdtoYlRUDUL0E>
Subject: Re: [Anima] [Acme] Long-lived certificates, but frequently renewed certificates
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Mar 2021 18:45:39 -0000

On 3/18/21 11:15 AM, Michael Richardson wrote:
> As far as I know, the only signal for when to renew is notAfter.
> Generally, one should renew sometimes after the half-way point.
> (LetsEncrypt policy of 90 days, but discouraged to renew until 60 days)
>
> It seems that a CA ought to be able to express some other kind of renewal
> period directly.   Is there any work in this area?

I would frame this in terms of impending revocation. Consider the case, 
as has happened in the past, where a CA discovers that there is a 
problem with some or all of the previously issued certificates requiring 
the CA to revoke said certificates within a few days. How can the ACME 
client managing renewal learn from the CA of the need to renew prior to 
the revocation, so to avoid a service interruption?

I believe this problem is within the scope of  the ACME WG's charter, 
but would require someone with CA experience to propose an ACME extension.