Hi Andrew, Is the purpose of the "revocationTime" field such that ACME client behavior would be different than the recommended replacement time-selection algorithm in section 4.1, or is it to provide richer metadata about the pending replacement window that is potentially human or machine-readable?
If the former, I'd be interested to hear how you think the time-selection algorithm should be modified to incorporate the information conveyed in that field. My first thought is that ACME client behavior will be the same regardless of the field value, but I very well may be missing something. If the latter, I'm wondering if we could consider defining a RFC 7807-style "problem document" format that would provide fuller information that is both human- and machine-readable. The "explanationURL" field as it currently exists in the draft might be useful for conveying human-readable information, but defining a fuller representation of replacement-related metadata would also allow machine-readable information to be conveyed. Thanks, Corey -----Original Message----- From: Acme <[email protected]> On Behalf Of Andrew Ayer Sent: Wednesday, March 22, 2023 10:36 AM To: [email protected] Subject: [Acme] ARI: Indication if certificate will be revoked I'm working on adding an ARI client to a certificate monitoring service to notify users when one of their certificates is scheduled to be revoked. Unfortunately, ARI doesn't currently convey whether the suggestedWindow is mandatory (because the certificate is going to be revoked) or merely advisory. I had previously thought that an end time that was earlier than the certificate's expiration would indicate an upcoming revocation, but it appears that Let's Encrypt's ARI endpoint routinely specifies an end time that is ~30 days earlier than the certificate's expiration. I propose that the renewalInfo object contain a nullable field called revocationTime which specifies the time the certificate is going to be revoked, if applicable. Regards, Andrew _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
