On 23/11/16 09:57, Thijs Kinkhorst wrote: > Hi Peter, > > On Tue, November 22, 2016 02:40, Peter Eckersley wrote: >> I'm an upstream developer for Certbot, previously known as the Let's >> Encrypt client (https://certbot.eff.org). Certbot is a flexible and very > popular >> way to get certificates from Let's Encrypt; > > Thanks a lot for your efforts. This is really useful indeed. > >> The ACME protocol that it uses to talk to Let's Encrypt is also rapidly >> evolving through an IETF working group >> (https://datatracker.ietf.org/wg/acme/charter/), and the Let's Encrypt >> server-side codebase (https://github.com/letsencrypt/boulder) is >> currently working with an ACME backwards compatibilty window of 6-12 >> months, but probably not longer than that. > > I'm a bit surprised by this policy. To my knowledge, concepts like automation > and "hassle-free" are central to the Let's Encrypt concept. Obviously are > online for more than a year, so installing Let's Encrypt certificates on them > is not quite automated or hassle-free if you need to upgrade certbot several > times during the projected lifetime of the server. > > Is it really necessary to have such, in my opinion, really short API > lifetimes? > Surely you want to extend and develop it, but this can be done while keeping > compatibility with existing clients in the field. >
I'm guessing that the Let's Encrypt people eventually hope to achieve that, but they are saying they are not going to make that level of commitment before the next Debian freeze.
