On Thu, Jan 08, 2026 at 12:30:34PM -0500, David Benjamin wrote: > On Thu, Jan 8, 2026 at 12:12 PM Michael Richardson <[email protected]> > wrote: > > > I don't think ACME Profile Sets completely solves the problem described in > > the slides. We need more. Maybe a connection to RFC9908 (just issued, > > but > > not announced yet.. weird)... a CSR/CSR-attributes redo in JSON/JOSE/COSE > > could be part of an RFC7030bis. Worth further discussion, I hope. > > > > The aim is to specifically solve the case where the subject information in > all the variants is the same, as that seems to be where this kind of > automation most naturally fits. It's true there are a bunch of other, more > complex, cases where folks might need multiple certificates. Those seem > hard to automate because they require the ACME client to have knowledge of > the variations, but happy to be proven wrong. :-) > > Not to say those aren't also interesting problems, but this subset seems > both useful, fairly easily achievable, and fit within a clear "subject > decisions vs PKI decisions" model, so that seemed a good place to draw a > box.
I do not think profile sets would be helpful with key algorithm transitions (e.g. ECDSA, post-quantum) or with CAs getting distrusted. Profiles do not specify key algorithms (so client has no guidance on key algorithms) and ACME servers are usually specific to CA (so distrust requires switching servers). Then effectively using multiple certificates at once requires webserver support. And in many of the usecases, supporting TLS extension that has not been defined yet. Furthermore, having variable number of certificates would require major changes to configuration models of various webservers (most webservers do not do full mix-and-match with keys, certificates and virtual hosts). Furhermore, ACME clients might not be permitted to generate keys (and webservers might react rather badly to unsupported keys). -Ilari _______________________________________________ Acme mailing list -- [email protected] To unsubscribe send an email to [email protected]
