-
Notifications
You must be signed in to change notification settings - Fork 112
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ACME must include certificate acceptance step #106
Comments
Do we have a period of time after which the certificate must be revoked if not explicitly accepted? Minutes, hours, days? |
I don't think a particular amount of time is mandated, maybe we should just revoke when the TCP connection from the client terminates, or after some length of time, whichever is sooner. |
The easiest thing to do is a batch process that looks for all unconfirmed certificates older than a certain amount, say an hour, and revokes them. I can make the necessary changes. |
I like easy. |
In the latest version of our CPS, https://letsencrypt.org/ISRG-CPS-Draft-May-5-2015.pdf, this is now section 5.5.1:
But above that we have:
These seem to be in conflict. If 5.4.1 trumps, we don't need to modify the protocol, since we can rely on 'Failure of the Subscriber to object to the Certificate or its content.' But I'm guessing 5.5.1 trumps based on past conversations, so we should probably fix 5.5.1. |
Section 5.4.1 defines "certificate acceptance" with a clause trusting the Applicant/Subscriber to pre- "Downloading a Certificate or installing a Certificate from a message attaching it; or non-objection" It would follow that any further mention of acceptance should hold to this definition unless further defined. Section 5.5.1 as such refers to "Acceptance" with the in-place definition inclusive of non-objection. The Applicant/Subscriber should be presented with an opportunity to object. Foregoing objection, whether at the close of a connection or time period, constitutes acceptance. |
Couldn't this be solved by returning a "receipt" json body with the Example:
Then, if you like what you see, you can download the cert.
Dunno if there's a standard way to display a certificate in json, so I just threw something together for a receipt that would meet the requirements for an adequate "review". |
We've confirmed that, based on our CPS, we don't actually need to do this. Yay! |
Section 4.5.1 of our CPS, which cannot be changed, states:
"Upon Issuance of a Certificate naming the Applicant/Subscriber as the holder of the Certificate,
reviews the Certificate to ensure that all information included in it is accurate, and to expressly
indicate Acceptance or rejection of the Certificate;"
This can be an automated review by a client, but we must enforce via ACME that clients expressly indicates acceptance or rejection. If a client rejects, or does not explicitly accept, then the certificate must be revoked.
The text was updated successfully, but these errors were encountered: