On Thu, Aug 31, 2023 at 08:22:27AM -0700, Aaron Gable wrote: > On Thu, Aug 31, 2023 at 2:09 AM Ilari Liusvaara <ilariliusva...@welho.com> > wrote: > > > 1) There may be a number of orthogonal properties, causing the total > > number of possible profiles be very large (the CA-side code is > > NOT complex). > > > > I'm not super concerned with combinatorial explosions of profiles. A CA > could offer many profiles that differ in small ways, but > a) It would be their responsibility to ensure that all profiles abide by > their PKI's requirements; and > b) It would be their responsibility to clearly communicate what each of > those profiles means to their subscribers. > Honestly, doing both of those is difficult.
I don't think it is difficult to end up with more profiles than one wants to explicitly list, even if one is very careful that all the profiles meet the PKI requirements and that everything is clearly documented. > > I think the server should reject the order creation if "profile" field > > is present, but contains some unknown or disallowed value. The default > > only appiles if there is no "profile" specified. > > > > I considered this, because as you say it certainly makes sense to simply > reject orders which request a non-existent profile. However, I think that > it breaks down in practice: we know that there will be clients which are > set up once, configured with a profile name once, and then never updated > ever again. The CA needs the ability to evolve and deprecate profiles > without causing those clients to permanently fail. Therefore I think it is > best that the ACME server SHOULD reject such requests but MAY ignore the > unrecognized profile and select a default instead, or something like that. Or guess something that is close. E.g., If profile specifies no-longer- allowed issuer, revert that to default, but still honor the rest. Then this also interacts with having list of profiles in directory (as oppsoed to just linking to documentation). What will the ACME client do if profile it is configured to use disappears from the directory? To me it seems like there are only two choices: - Proceed anyway, rendering having any sort of programmatic list moot. - Fail, halting renewals until configuration is fixed. -Ilari _______________________________________________ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme
