My recollection from various CA/Browser discussions is that CAs are *not* actually required to keep around CSRs. Am I wrong?
Most CAs do, because it is the easiest way to log proof of possession of the private key, and because it is useful for a variety of other auditing activities, but other methods are possible, in principle. In fact, I'm struggling to even find that requirement --- 3.2.1 is empty in the latest copy of the BRs. CSRs are only mentioned in an obscure footnote about potential methods for calculating Request Tokens. -Tim -----Original Message----- From: Acme [mailto:acme-boun...@ietf.org] On Behalf Of Jacob Hoffman-Andrews Sent: Thursday, November 30, 2017 3:44 PM To: Richard Barnes <r...@ipv.sx>; Daniel McCarney <c...@letsencrypt.org> Cc: Logan Widick <logan.wid...@gmail.com>; ACME WG <acme@ietf.org> Subject: Re: [Acme] Question about the new finalizeURL approach, and the order object format after finalizeURL On 11/30/2017 02:34 PM, Richard Barnes wrote: > As Jacob points out, CAs are already required to keep around CSRs in > audit logs. You missed an important nuance: CAs are not required to keep around CSRs in an online database for live querying on the web. It is much more expensive to store a CSR in a performant database than a rarely-accessed log. _______________________________________________ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme
