On 02/13/2017 02:02 PM, Martin Thomson wrote: > S6.3.4 > > It is up to server policy > how long to retain data related to that account, whether to revoke > certificates issued by that account, and whether to send email to > that account's contacts. > > This is terrible. If I wish to decommission an account key, then I > can't because I might find that my certificates are all suddenly > revoked. Think about a large organization that has a pool of > authorized accounts used for managing certificates. If one of those > needs to fall out of the pool (the machine hosting the key is being > scrapped or rebuilt, for instance), then you don't want to have all > the certificates that it issued disappearing suddenly. > > If there are good reasons to revoke certificates, then be definite > about it and say that they go away, at least then people can plan > around the problem. I agree. Let's change this to "server MUST NOT revoke certificates in response to an account deactivation request," and delete the other part "it is up to server policy to ..." because that is true by default.
_______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
