Hi,
For context, it was myself who was interested in ACME CAs advertising
their supported features via the directory or a capabilities endpoint,
my client has an unusual emphasis on multi-CA use and automated CA fallback.
Aaron's proposal does actually complement that because in the future an
endpoint could still exist which defines the features supported by a
profile. e.g. things you specifically need or things you can ask for
that will allow your order to proceed without it blowing up. These
include: supported key types, supported min/max lifetimes, included
EKUs, is-publicly-trusted-by-browser-root-programs, supported
identifiers (dns, ip, Stir/Shaken TnAuthList etc), identifiers profiles
(like single domain, multiple SAN, domain+www, single wildcard,
multi-wildcard).
I agree it's a stretch to try to include these at the moment but
hopefully at some point in the future an ACME CA should be able to
advertise what it can be used for. The purpose of that is to be able to
select a CA from a whole bunch of candidates and have reasonable
confidence that they are both compatible with your order (or one of
their profiles is) and will give you a cert with the features you need.
I agree this is out of scope for most clients.
--
Christopher Cook
https://certifytheweb.com
_______________________________________________
Acme mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/acme
