On Wed, Jan 03, 2024 at 11:13:01PM +0900, Seo Suchan wrote: > While looks sensible I wonder if how many clients pulling on auth > instead of challanges: Those client will pull without limit if this > behavior applied to CA > > For example this client do watch auths status instead of challenge > itself. > https://github.com/diafygi/acme-tiny/blob/c29c0f36cedbca2a7117169c6a9e1f166c501899/acme_tiny.py#L151 >
I would imagine most clients do that. The one that I have written certainly does (I think it would timeout with "authorization status stuck" error after 10min). AFAIK, ACME does not even guarantee that challenges are fetchable. And one does not have to deactivate authorizations in order to retry. Just creating new order will either restart from scratch or resume where one left off, depending on the CA. Yes, one would need autotimeouting blacklist for clients that can try multiple methods, but I do not think that is hard (at least compared to stuff like handling the three different concurrent order race conditions). The only reasons I know to deactivate authorizations: - Getting rid of zombie auths that fail CAA validationmethods. - Dropping authority to reduce damage on key compromise (explicit clear-all would be better for this purpose). -Ilari _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
