Roland Shoemaker sent a proposal a while back for ACME Renewal Info (ARI)
with the goal of solving both "impending revocation" and "expressing
suggested renewal times."
https://mailarchive.ietf.org/arch/msg/acme/b-RddSX8TdGYvO3f9c7Lzg6I2I4/. We
at Let's Encrypt hope to develop this idea further
Hiya,
> On 18 Mar 2021, at 19:58, Michael Richardson wrote:
>
> A pity that EST (and I think SCEP, but I haven't read it all), just returns
> the resulting certificate, and not something more useful, like a JSON dict
> that includes the certificate.
>
> RFC7030 has a 202, Retry-After, which
On Thu, Mar 18, 2021 at 02:58:08PM -0400, Michael Richardson wrote:
> A pity that EST (and I think SCEP, but I haven't read it all), just returns
> the resulting certificate, and not something more useful, like a JSON dict
> that includes the certificate.
But you can always send this kind of
Nico Williams wrote:
> On Thu, Mar 18, 2021 at 05:54:55PM +0100, Toerless Eckert wrote:
>> On Thu, Mar 18, 2021 at 08:57:04AM -0400, Michael Richardson wrote:
>> > It seems that a CA ought to be able to express some other kind of
renewal
>> > period directly. Is there any work
On 3/18/21 11:15 AM, Michael Richardson wrote:
As far as I know, the only signal for when to renew is notAfter.
Generally, one should renew sometimes after the half-way point.
(LetsEncrypt policy of 90 days, but discouraged to renew until 60 days)
It seems that a CA ought to be able to express
[resending with correct list name for spasm^Wlamps. I hate this]
ANIMA is working on a more construction focused version of BRSKI, which you
can read about in
https://datatracker.ietf.org/doc/draft-ietf-anima-brski-async-enroll/,
in which the last few meters of connectivity are by sneaker-net.
In ACP/BRSKI, we discussed for the semantic of lifetime of short-lived
certificates to distingish between different type of "uses" of the
certificate. At that time mainly two:
a) using the certificate for "anything"
b) using the certificate as an authenticator to get itself renewed.
And the
ANIMA is working on a more construction focused version of BRSKI, which you
can read about in
https://datatracker.ietf.org/doc/draft-ietf-anima-brski-async-enroll/,
in which the last few meters of connectivity are by sneaker-net.
(Literally: technicians walking up/down stairs into the basement