Certificate Renewal, Re-Key, Modification

[robstradling]

When draft-acme-ari says "renewal" or "renew", I'm guessing the intended meaning is any combination of (in RFC3647 terms) Renewal and/or Re-Key and/or Modification:

https://www.rfc-editor.org/rfc/rfc3647.html#section-4.4.6 (Certificate Renewal)

Certificate renewal means the issuance of a new certificate to the subscriber without changing the subscriber or other participant's public key or any other information in the certificate:

https://www.rfc-editor.org/rfc/rfc3647.html#section-4.4.7 (Certificate Re-Key)

...generating a new key pair and applying for the issuance of a new certificate that certifies the new public key:

https://www.rfc-editor.org/rfc/rfc3647.html#section-4.4.8 (Certificate Modification)

...the issuance of a new certificate (6) due to changes in the information in the certificate other than the subscriber public key

Assuming I've guessed correctly, and in the interest of avoiding confusion amongst implementors, observers, and auditors... Should draft-acme-ari be revised so that its terminology is aligned with RFC3647's terminology? Or would it be enough to add a single sentence to draft-acme-ari along the lines of "In this document, 'renewal' is taken to encompass any combination of Renewal, Re-Key, and Modification [RFC3647]" ?

Relatedly, I think it's good that the new field in the Order object is named replaces rather than renews, since (unlike "Certificate Renewal"), "Certificate Replacement" is not an RFC3647 term with a different scope.

[mholt]

This is a good point. FWIW, Caddy/Certmagic stacks now rotate the private key each time a certificate is renewed (by default; this is configurable). So we'll be re-keying often.

[aarongable]

Or would it be enough to add a single sentence to draft-acme-ari along the lines of "In this document, 'renewal' is taken to encompass any combination of Renewal, Re-Key, and Modification [RFC3647]" ?

Yeah, I think this is the best approach.