On Thu, Mar 24, 2016 at 11:07:08AM -0400, Richard Barnes wrote: > On Thu, Mar 24, 2016 at 5:42 AM, Ron <r...@debian.org> wrote: > > On Thu, Mar 24, 2016 at 04:45:06PM +1100, Martin Thomson wrote: > > > > > Most operating systems understand how to invoke local software in > > > response to that and your proposed flow behaves much the same from a > > > user perspective. > > > > > > That isn't *as* good as your proposal, I don't think, but it might > > > have some usability advantages. > > > > The main downside I see to this, is that if I need to fully automate > > the acme client to perform certificate renewals every few weeks, > > then it's unlikely to be running on the same machine where I read > > email. > > > > I think it's safe to say that any system which is designed to support > re-validation with any frequency cannot involve email.
Right, what I meant to indicate there was that the acme client with the key for my CA account was unlikely to be "local software" to the email client I read mail in. So being able to click on something in an email to launch an acme client is of limited use, even for the case of emergency recovery. [though 'cannot' might be a bit strong. Email does have the advantage of being already resilient to temporary network disruptions, which is something alternative methods would need to reimplement. This probably could work quite well with email, but I'm not suggesting we go there except for emergency out of band recovery. ;] > However, note that ACME supports renewal of certificates without > re-validation. That was one of the nits I pointed out earlier which it would be nice to fix. In the current text, the only way to find out if a server supports that or not is to try it and see if it fails. Which realistically means, the only 'reliable' thing to automate without out of band knowledge about the server, is to do a full new-certificate transaction. It would be nice if the server did return some indication that it was prepared to support renewal with a simple GET request that didn't require access to the account key. Being able to drop that privilege for routine renewals does seem like a useful feature if we want to keep the validity period short. Ron _______________________________________________ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme