Status Clarifications

[bifurcation]

This PR attempts to add a lot more clarity to the "status" field on objects and how it evolves.

• Adds a section describing the state transitions for the various object types. (This turns out to be a handy protocol summary as well)
• Aligns the valid values in the "status" field definitions to the description in that section
• Adds a "ready" state on orders to indicate when the order is ready to be finalized

Fixes #391
Fixes #397 (by showing why challenges need separate status)

Slightly beyond the scope of this PR, it might also be good to:

• Define an "expired" status for autz, independent of "invalid"
• Add a subsection of "Applying for Certificate Issuance" briefly noting / illustrating finalization

[cpu]

This is a great step towards making sure the status state changes are consistent & understandable.

I've flagged a few issues to address.

[cpu]

If there is an error, and the challenge moves to the "invalid" state, how does the client request retry? That seems like the primary reason you would want to retry and there isn't any information about how the server should handle failures during processing except to change out of processing.

[joernheissler]

I think "invalid" is a final decision. If the client wants another try, they'd need to create a new order.
Section 8.2 says that "the server SHOULD retry the query after some time".
Being unable to retry individual challenges might mean that some users will have a hard time acquiring a certificate. But then they should just fix their setup and respond to the challenge only when it will work.
I.e. I agree with the above change.

[bifurcation]

Yeah, what @joernheissler said. I had also been thinking of "invalid" as a final state. ISTM if you want to signal to the client that something has gone wrong and a retry is needed, there are basically three options:

1. Keep it in "processing" and add to the subproblems array
2. Move it to "invalid" and add to the subproblems array
3. Move it to a new "retry" state and add to the subproblems array

(1) is what we do now, and in case you can't tell by my phrasing here, I don't think we need any more signal than adding to the subproblems array. It seems like the only real argument for having a non-"processing" state is if find it distasteful to have "processing" with "error" populated, in which case I would propose we do (3) instead.

[cpu]

Ok. That sounds reasonable.

[cpu]

what does "the authorization times out" mean? I thought perhaps expiry but you mention that distinctly later in this paragraph.

[jsha]

*authorizatoin->authorization

[cpu]

I think you're missing a connecting word here between deactivating and revoking.

or, revoked by the server ("revoked").

[cpu]

nit: If you put the revocation case on the left fork I think you could fit the whole word "deactivated" on the right fork

[cpu]

I think we should skip the word "fatal" here - we never define what a fatal error is versus a normal error. They're all just errors.

[cpu]

This paragraph (& the flow chart) are also missing three ways that an order can become invalid:

1. One of its authorizations becomes invalid because it was deactivated
2. One of its authorizations becomes invalid because it expired
3. The order expires

[jsha]

One of its authorizations becomes invalid because it was deactivated

Or the authorization was revoked. :-)

We should probably say "If any of the authorizations changes to a state other than pending or valid, the order becomes invalid."

[jsha]

*authorizatoin->authorization

[jsha]

Let's treat expired as its own state, and note that it doesn't show up in the "status" field: the URL just starts to 404.

Also, there should be an arrow from pending to expired.

[bifurcation]

We don't require 404 when an authz expires:

If the client fails to complete the required actions before the "expires" time, then the server SHOULD change the status of the order to "invalid" and MAY delete the order resource.

So we shouldn't add any text here that would imply that 404 is necessary.

[jsha]

The "ready" state makes some sense but is a significant addition. I'm inclined to leave it out of this change, to more clearly separate "additional documentation" from "protocol changes".

[bifurcation]

Funny you should say that, because "expires" is also a new state :) This change is not large in spec terms -- this PR is all it needs. It doesn't seem like it should be a huge change for implementations either.

[jsha]

One of its authorizations becomes invalid because it was deactivated

Or the authorization was revoked. :-)

We should probably say "If any of the authorizations changes to a state other than pending or valid, the order becomes invalid."

[cpu]

This is looking better after the last few rounds of feedback were applied.

One oversight that still remains is in the "Applying for Certificate Issuance" section.

There is a section about how the status of the order post-finalization tells the client what to do. It covers "invalid", "pending", "processing" and "valid" - I think it needs to be updated with "ready". Similarly the existing text for "processing" doesn't match this new state model.

[cpu]

Two small pieces of feedback

[cpu]

nit: "and is awaiting on finalization" -> "and is awaiting finalization".

[cpu]

"Retry" in this case might need to be disambiguated slightly, what about "Poll the order again after the ... " ?

[jsha]

I'm fine accepting the "ready" state based on the above, although Let's Encrypt won't have it implemented by v2 launch time. I think that's fine. One tiny bit of further clarification: I was thinking of "expired" as a meta-state that is not necessarily reflected in the status field. I think we can just add a sentence saying something like "objects in an expired state may simply return 404."