So today I was updating a web server cert as I do a few times a year. And I have a usability story to tell...
I got the new cert and installed it in apache without any Cullen-like problems:-) That cost me €0.00 in payment and about 5-10 minutes. All good so far. Chrome was happy, but FF/opera/my phone weren't. I then messed about for 30 minutes checking to see if a new intermediate cert was needed etc. (i.e. I was back to Cullen-mode:-) Turns out after a bit of searching, I'd installed the new cert too soon, and when I tested it, a "dunno" OCSP response was sent before the responder had seen the new cert and that OCSP response has now been cached for some unknowable (to me) number of hours in who-knows-what places. And that caching behaviour has changed since the last time I got a cert from the same provider a few months ago. So I reverted my apache to the old cert and will try install the new cert again tomorrow. That's exactly that kind of thing I'd love to see fixed with acme and that is not handled by CMP, CMC, PKCS#10, EST or SCEP. At least I don't believe there's a standard way of getting the right thing to happen with those without some proprietary extension/surroundings. And one big reason CMP etc don't support that is that we didn't have that requirement when we had the big fight that lead to CRMF back nearly 20 years ago. (Since OCSP didn't exist then and we didn't know how folks would be updating web servers, and we're much more intolerant of Cullen-like messing about being needed these days, and rightly so.) I would like acme defined so that when I get the cert back all the PKI stuff has happened already and is working. I'm sure some other semantics could also work out, (e.g. if acme had a "ready-yet?" query I could emit after getting the cert), but those are the kind of problems we're currently facing that are killers and that we can address, now that we know the deployment requirements much better than we did in 1996. I hope this helps those who are worried that acme is only about business models. In my head what acme ought be about is getting rid of that 1 hour of silly sysadmin time I just spent - the system-automated web server s/w update should just have done all of this for me without me even having to know a new cert was needed until I get the system update email tomorrow. Cheers, S. PS: Apologies, Cullen but it's your own fault:-) _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
