Is it necessary to patch ACME standard to differentiate new-order
with replace-order
?
--
Your honor the Let's Encrypt Team and ACME standard board,
For commercial CA, traditional SSL certificate businesses, there are new-order
, reissue
(aka replace-order
), and revoke
operations to a SSL certificate,
Especially new-order
, and replace-order
, they are involving the issue to accurate billing.
- If a customer placed an order including
www.domain.com
, the CA charges him cost 1 × domain (forwww.domain.com
). - And after the first certificate request issued, if he decides to reissue (replace order), to append
www.domain2.com
to it, the CA charges him cost 1 × domain (forwww.domain2.com
, andwww.domain.com
won't be charged twice).
If we try to implement ACME to that customer, the issue appears: When the customer is reissuing the certificate to append a second domain, CA doesn't know which old existing order he's trying to reissue, Even the CA can't tell if the customer is reissuing or making a new purchase, the only choice for ACME server is to charges customer full cost for all domains. (no id, voucher or resource key ACME request will carry to the server).
That's weird if commercial ACME user met.
I know this idea means nothing for letsencrypt free certificate community. But i think this will be helpful to commercial CAs to expand new businesses if ACME protocol can implement. Especially the google chrome team decided to force moving forward to the 90 days lifecycle for all tls certificates, commercial CA's willing to integrate ACME's first consider is it won't destroy their reseller networks and delivery model.
--
Sincere
Bruce