Hello all, This is Arabella.
Today, while reviewing various ACME clients, I observed that several popular ones have not yet implemented the ARI(Automatic Renewal Information) feature. This is despite the fact that ARI is now supported by major ACME CAs(Let's Encrypt, Google Trust Services). It seems that for various reasons, whether financial or resource-related, the implementation of ARI in some widely-used clients has been delayed(e.g: acme.sh, acmephp). This lag could potentially hinder the certificate replacement and revocation process during a Massive Revocation Incident, as CAs, for practical and business reasons, often prefer to wait until users have replaced their certificates before revoking the old ones. This leads me to a thought: since the delayed adoption of ARI in these clients directly impacts the ability of CAs to efficiently manage potential Massive Revocation Incidents, why don't commercial CAs consider providing financial or development&pull requests support to the open-source ACME client community? By assisting open-source maintainers and projects, we could accelerate the implementation of ARI and collectively contribute to a more robust and healthier webPKI ecosystem. I welcome and look forward to expanding this discussion. Best regards, Arabella -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/c44a9132-4d3d-4a40-b611-36ef7205a0c6n%40mozilla.org.
