Hi! Glad the WG adopted this and am very supportive of this whole get a new certificate before it expires (and don’t crush the CA while you do it)!
Just one thing I am trying to square away: second para of s5 motivates the POST-as-GET to unauthenticated GET by saying the info isn’t confidential. Why wouldn’t staging a mass reisssuance event be considered confidential? Nits: 1) s1: CA 1st use: s/CA/Certification Authority (CA) See: https://github.com/aarongable/draft-acme-ari/pull/38 2) s1: Might I suggest a friendly amendment to the 1st sentence of the 2nd para: Issuing CA suggesting a period in which clients should renew their certificates allows for dynamic smearing of load, enabling a CA to respond to exceptional circumstances. See: https://github.com/aarongable/draft-acme-ari/pull/39 3) s4.1: Add a reference for SHA256: … using SHA256 [SHS] ... [SHS] Dang, Q., "Secure Hash Standard (SHS)", National Institute of Standards and Technology report, DOI 10.6028/NIST.FIPS.180-4, August 2015. 4) s4.2: For replaced, why is it SHOULD NOT be set of false, i.e., what does it mean for a client to set this to false and what would the CA do? 5) Appendix A: I like that you have examples, please make sure they are 5280 compliant or you’ll get errata filed against them by somebody 3 years from now :) 6) A.2.: Missing “A.2.” in front of Example CA Certificate See: https://github.com/aarongable/draft-acme-ari/pulls _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
