Proposal: ACME Profiles

jvanasco · August 31, 2023, 3:14pm

Yes. @aarongable has mentioned in several places they want to move this - and other attributes - onto profiles and away from CSRs.

In the above notice:

And in the other thread this example:

Offer a new endpoint (and ACME spec update) to list available chains

       "profiles": {
         "default": "The profile that Let's Encrypt has been using for the last 6+ years.",
         "short": "The same as 'default', but with a validity period of 10 days.",
         "minimal": "A stripped-down profile with a short lifetime, no OCSP, no keyEncipherment KU, no clientAuth EKU, etc."
       }

I am +1 on removing everything from the CSR and shifting to profiles or other. While it had an important role in ACME v1 as the genesis of the ACME Order and could be generated by a Client or Subscriber, in ACME v2 it is expected to be carefully constructed by the Client – and CAs have been handling unsupported situations differently (mostly within RFCs). I don't think we're likely to see RFC updates to address this, as there are too many CAs at this point who are utilizing the "flexibility" of the RFC here - so adopting profiles would address these situations fairly decently by shifting a focus onto the alternate method.

Topic		Replies	Views
Re: Announcing Certificate Profile Selection Issuance Policy	86	1457	March 23, 2025
Offer a new endpoint (and ACME spec update) to list available chains Feature Requests	26	1847	September 21, 2023
Announcing Certificate Profile Selection API Announcements	0	517	January 9, 2025
Alternate chain selection Client dev	18	5938	February 16, 2021
6 day certificates!? Pinch me I'm dreaming Issuance Policy	37	1971	January 30, 2025

Proposal: ACME Profiles

Related topics