search

aarongable / draft-acme-ari

Internet Draft for the Automated Certificate Management Environment (ACME) Renewal Information (ARI) Extension
Other
3 stars 7 forks source link

What exactly does "share identifiers" mean? #57

Closed robstradling closed 3 months ago

robstradling commented 4 months ago

I wish I'd seen https://github.com/aarongable/draft-acme-ari/commit/8b464ffe1c5754f43a85bec7bc50ccbfafd44e64 (Remove "a preponderance of") yesterday, before I spent time mulling over how to interpret it! :-)

I'm not sad to see that somewhat archaic word ditched, but the wording after that commit leaves me even more unsure of what's expected.

With "a preponderance of", I'd concluded yesterday that >50% of the identifiers in the newOrder request must match identifiers in the certificate identified by replaces, or else the Server would ignore replaces. (I'd also concluded that "preponderance" was vague enough that it would also make sense for that ">50%" figure to be configurable, per Server, anywhere between ">50%" and "100%").

But what exactly does "share identifiers" mean? Does the newOrder request have to have the exact same set of identifiers as the certificate identified by replaces, with zero identifiers dropped and zero identifiers added? (If so, then I'd suggest tightening the wording to "share the exact same set of identifiers" or something similar). Or is it intended that defining the meaning of "share identifiers" should be left to each individual Server's policy? (If so, then I'd suggest adding to wording to explicitly say this).

aarongable commented 4 months ago

Yeah, I changed it from "share a preponderance of identifiers with" to just "share identifiers with" to allow more freedom in server policy. I think that all of the following would be reasonable policies for a server to have: 1) The replacement must have exactly the same identifiers 2) The replacement must be a strict subset of the identifiers (i.e. all names have been issued for previously, but allowing names to be discontinued) 3) The replacement must share most / a preponderance of the identifiers (essentially "shrug, seems like a spiritual successor") 4) The replacement must share at least one identifier (as long as any name is being renewed, it counts)

I agree that it should be clearer that exactly what approach is taken is left up to server policy. I'll work on some language.

robstradling commented 4 months ago

I agree that leaving it up to server policy makes sense, given that what a server should do with an accepted replaces value is also left up to server policy.