On 3/18/21 11:15 AM, Michael Richardson wrote:
As far as I know, the only signal for when to renew is notAfter.
Generally, one should renew sometimes after the half-way point.
(LetsEncrypt policy of 90 days, but discouraged to renew until 60 days)
It seems that a CA ought to be able to express some other kind of renewal
period directly. Is there any work in this area?
I would frame this in terms of impending revocation. Consider the case,
as has happened in the past, where a CA discovers that there is a
problem with some or all of the previously issued certificates requiring
the CA to revoke said certificates within a few days. How can the ACME
client managing renewal learn from the CA of the need to renew prior to
the revocation, so to avoid a service interruption?
I believe this problem is within the scope of the ACME WG's charter,
but would require someone with CA experience to propose an ACME extension.
_______________________________________________
Anima mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/anima
