David Benjamin <[email protected]> wrote: > For folks who missed it, I talked a bit about the motivation in both the > draft and 124, so here are the links to what happened in 124. This is a > pretty tiny mechanism, so there's not a lot to skim through there: > https://datatracker.ietf.org/meeting/124/materials/slides-124-acme-acme-profile-sets-00
I looked again at the slides.
The motivation is good. I think some of the context is wrong,... like if
"Old Clients" live forever, then they aren't going to get new certificates.
Maybe you don't mean old ACME clients, but old TLS clients?
(PS: they also don't do TLS 1.3, often not TLS 1.1. Try connecting to a
2010-era BMC.)
I don't think ACME Profile Sets completely solves the problem described in
the slides. We need more. Maybe a connection to RFC9908 (just issued, but
not announced yet.. weird)... a CSR/CSR-attributes redo in JSON/JOSE/COSE
could be part of an RFC7030bis. Worth further discussion, I hope.
> But older relying parties still have the old behavior, and ACME clients
Yes, older relying, or corresponding parties.
--
Michael Richardson <[email protected]> . o O ( IPv6 IøT consulting )
Sandelman Software Works Inc, Ottawa and Worldwide
signature.asc
Description: PGP signature
_______________________________________________ Acme mailing list -- [email protected] To unsubscribe send an email to [email protected]
