On 3/20/21 10:39 AM, Michael Richardson wrote:
John Gardiner Myers <[email protected]> wrote:
> I would frame this in terms of impending revocation. Consider the case,
as
> has happened in the past, where a CA discovers that there is a problem
with
> some or all of the previously issued certificates requiring the CA to
revoke
> said certificates within a few days. How can the ACME client managing
renewal
> learn from the CA of the need to renew prior to the revocation, so to
avoid a
> service interruption?
Would this signal occur at the time of issuance, or are you thinking that it
would occur some time into the validity period?
It would have to occur some time into the validity period as the time of
revocation would not be known at the time of issuance.
Roland Shoemaker's ACME proposal resonates with my thinking, with one
exception: since an ACME client typically manages a stable of desired
certificates and the lack of any recent or impending revocations is the
common case, it might make sense for the client to query "are there any
unexpired certificates issued through this ACME account that are being
revoked soon or recently?"
_______________________________________________
Anima mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/anima
