IIRC it was dual purpose: state some randomish time to reduce load spike
at 12:00AM or mass renewal after mass revocation event, and order renew
when revocation is imminent.
I think it's pretty safe to say IFF ARI time changes from what it's set
just after certificate creation, you could guess there will be
revocation for that leaf certificate.
2023-03-23 오전 1:46에 Amir Omidi 이(가) 쓴 글:
My concern with this is that it creates a bit of a requirement to
revoke by/on that time, which doesn't seem to be the intent of ARI I
think?
Also what should the precision of this time field be? day/hour/etc?
On Wed, Mar 22, 2023 at 10:35 AM Andrew Ayer <a...@andrewayer.name> wrote:
I'm working on adding an ARI client to a certificate monitoring
service
to notify users when one of their certificates is scheduled to be
revoked. Unfortunately, ARI doesn't currently convey whether the
suggestedWindow is mandatory (because the certificate is going to be
revoked) or merely advisory.
I had previously thought that an end time that was earlier than the
certificate's expiration would indicate an upcoming revocation, but it
appears that Let's Encrypt's ARI endpoint routinely specifies an end
time that is ~30 days earlier than the certificate's expiration.
I propose that the renewalInfo object contain a nullable field called
revocationTime which specifies the time the certificate is going to be
revoked, if applicable.
Regards,
Andrew
_______________________________________________
Acme mailing list
Acme@ietf.org
https://www.ietf.org/mailman/listinfo/acme
_______________________________________________
Acme mailing list
Acme@ietf.org
https://www.ietf.org/mailman/listinfo/acme
_______________________________________________
Acme mailing list
Acme@ietf.org
https://www.ietf.org/mailman/listinfo/acme