Closed robstradling closed 3 months ago
This is a good point. FWIW, Caddy/Certmagic stacks now rotate the private key each time a certificate is renewed (by default; this is configurable). So we'll be re-keying often.
Or would it be enough to add a single sentence to draft-acme-ari along the lines of "In this document, 'renewal' is taken to encompass any combination of Renewal, Re-Key, and Modification [RFC3647]" ?
Yeah, I think this is the best approach.
When draft-acme-ari says "renewal" or "renew", I'm guessing the intended meaning is any combination of (in RFC3647 terms) Renewal and/or Re-Key and/or Modification:
https://www.rfc-editor.org/rfc/rfc3647.html#section-4.4.6 (Certificate Renewal)
https://www.rfc-editor.org/rfc/rfc3647.html#section-4.4.7 (Certificate Re-Key)
https://www.rfc-editor.org/rfc/rfc3647.html#section-4.4.8 (Certificate Modification)
Assuming I've guessed correctly, and in the interest of avoiding confusion amongst implementors, observers, and auditors... Should draft-acme-ari be revised so that its terminology is aligned with RFC3647's terminology? Or would it be enough to add a single sentence to draft-acme-ari along the lines of "In this document, 'renewal' is taken to encompass any combination of Renewal, Re-Key, and Modification [RFC3647]" ?
Relatedly, I think it's good that the new field in the Order object is named
replaces
rather thanrenews
, since (unlike "Certificate Renewal"), "Certificate Replacement" is not an RFC3647 term with a different scope.