On 18/4/2024 7:58 μ.μ., Aaron Gable via Servercert-wg wrote:
1. Section 9.6.1 adds language that imposes or makes the following
requirements explicit:
i. the Subscriber has been provided with the most current
version of the Subscriber Agreement;
ii. the applicable Subscriber Agreement is the Subscriber
Agreement that was accepted when the Certificate was issued; and
I am aware that ACME RFC 8555 section 7.3.3 provides a mechanism
for updating the Subscriber Agreement ("Terms of Service" in the
RFC). The language above seems to imply that this mechanism must
be used whenever a CA changes their Subscriber Agreement. Has this
mechanism been deployed and used at scale?
I concur that this appears to be a new requirement, not simply a
unification of the current SA and ToS language. That's surprising,
given the ballot description and purpose.
The mechanism described in RFC 8555 Section 7.3.3 for ACME servers to
update the Subscriber Agreement is poorly designed, impractical, and
is not fully implemented by any ACME CA that I am aware of.
Specifically, the whole point of ACME is that it is automated --
operators should not need to intervene except when they make changes
to their own systems. In fact, many ACME clients have no direct way to
reach their operators (i.e. no email or other notification
facilities), they just log to a file which the operator theoretically
reads but in practice wholly ignores. So an ACME CA breaking every
single ACME client until that client's operator takes manual action is
a non-starter.
I'm not sure I understand this concern. ACME clients provide a mechanism
for the Applicant to "accept" the Terms of Service or Subscriber
Agreement and signal that action to the CA. The ballot merely says that
the CA must provide their latest ToU/SA to the Applicants (this can be
done via a URL presented to the Applicant), and the Applicants must
signal their acceptance before proceeding.
What happens if the SA/ToS document changes? I had the impression that
the ACME client would be able to see the new version and ask that the
updated version is accepted. How does this process work in practice?
Thanks,
Dimitris.
_______________________________________________
Servercert-wg mailing list
Servercert-wg@cabforum.org
https://lists.cabforum.org/mailman/listinfo/servercert-wg