On Thu, Jul 18, 2024 at 04:44:41PM -0700, Aaron Gable wrote:
>
> Only one ticket remains, a discussion of whether the ACME server should be
> encouraged to reply specifically with HTTP 409 ("Conflict")
> <https://github.com/aarongable/draft-acme-ari/issues/56> in the case that a
> new-order request specifies that it replaces a certificate which has
> already been replaced. Honestly I'm happy to go either way on this one, and
> it is my understanding that tiny edits such as this are appropriate for the
> Last Call process if the final reviewers have an opinion on them?
One subtle edge case: What if there is reusable order with matching ARI
replaces?
Or more generally, how should ARI replaces and order reuse interact?
I think that reusable order with matching ARI replaces should be reused
without conflict, but orders without matching ARI replaces should not be
reused.
(The no reuse across ARI replaces is to handle case where client is
trying to renew dual RSA/ECDSA certs in parallel.)
Then there does not seem to be any signal that order creation errors
are due to ARI. So if client ever encounters order creation failing
because ARI, it probably gets stuck into error loop (at least until
the certificate expires).
One way to get into that situation is to rotate ACME account (which
some seem to consider "best-practice") with ACME server that errors
out if account does not match.
(The way I hacked around that is to immediately retry with ARI
cleared if any order creation with ARI fails with any client
error document.)
-Ilari
_______________________________________________
Acme mailing list -- acme@ietf.org
To unsubscribe send an email to acme-le...@ietf.org
