David Benjamin <[email protected]> wrote: > (I wasn’t sure about cross-posting etiquette, so I haven't CC'd plants@ > here. Rather, I’ll point plants@ to this thread shortly. Figure it’s > always
Just do it.
(The IETF mailman maintains a global acceptlist that basically means, if you've
subscribed to any list, you can post to all of them)
> MTC wants a way to configure ACME to deliver both certificates (one
> immediately and one that the ACME client can optionally retrieve later,
> after some delay), along with any metadata needed for the TLS server (etc)
> to select between the two.
I was also thinking about this.
Do you think this is a new document in ACME, a document in PLANTS, or would
it wind up in the main PLANTS specification. (I can think of arguments for each)
> The current proposal is to use ACME's existing alternate URLs feature,
That's paragraph 3 of section 7.4.2 of RFC8555, I think.
> modeling the delay with the HTTP Retry-After header from RFC 9110.
(Another
> option is to make multiple orders. That would let us model the delay with
> the "processing" status, but since it’s one validation and issuance event,
> one order + alternate URLs seemed a better fit.)
> Thoughts? Is this a good approach to using ACME?
It's not what I was thinking about.
I was thinking that the landmark certificate would be returned with a short
renewal-info, such that the client would come back soon, and then receive and
update. Only, that's probably a bad idea as I write it down!
We don't really want to redo the process (authorization, CSR, ...).
Multiple orders is not a good answer, I'd say it's worse than the above.
I think that your alternate URLs notion is the right mechanism.
It would also map nicely to RFC7030 (EST).
We should consider if application/pem-certificate-chain is still the right
content-type.
--
Michael Richardson <[email protected]> . o O ( IPv6 IøT consulting )
Sandelman Software Works Inc, Ottawa and Worldwide
signature.asc
Description: PGP signature
_______________________________________________ Acme mailing list -- [email protected] To unsubscribe send an email to [email protected]
