Yes, we still intend to move forward with this. Let's Encrypt already has a rudimentary implementation of the current draft deployed in the Staging environment. I am working on both a more realistic implementation in Let's Encrypt[1] as well as a client implementation in Certbot[2], although that work has been moving slowly due to competing priorities. I also have a number of changes I intend to make in the next draft, which I plan to update prior to IETF 113 in March.
I will note that Caddy's implementation not only supports renewing upon revocation via OCSP, but it also supports OCSP Stapling. So in theory, user-agents should never see a "revoked" status for a certificate served by Caddy, because it will continue stapling the "good" response until it renews the cert. But still, agreed, ARI serves a different role (in particular, encouraging renewal when revocation is *not* imminent but renewal is desirable for other reasons). Aaron On Mon, Feb 7, 2022 at 4:25 AM Stefan Eissing <[email protected]> wrote: > I was contacted by someone interested in supporting the renewal > extension[1] > in the Apache ACME implementation. > > It seems that this could have helped in the recent certificate revocation > my Lets Encrypt and I'd be interested to hear from parties if they agree. > > Other servers, like Caddy, support renewal on OCSP revocation. While that > is very commendable, it still does not allow for a smooth migration to > a new certificate when this is a planned operation. > > Feedback from operators of large sites is that they like to restrict > reconfigurations/reloads of servers to time windows where traffic is > low and/or on-site support is ready. > > The proposed "renewalInfo" extension would allow that, it seems. Are > there any plans/interests to go forward with this? What is LEs view? > > Kind Regards, > Stefan > > 1) https://datatracker.ietf.org/doc/draft-aaron-acme-ari/01/ > > _______________________________________________ > Acme mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/acme >
_______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
