Hi forum,
I've got a question for you all. You can skip the Background section if you like, but it does provide helpful context for fully understanding the motivation behind asking this question.
Background
Today, a new Authorization is created with a lifetime of 7 days. If the client does not attempt to fulfill the Challenge within that time period, then the authorization expires and the need to create a new Order and new authorizations to try again. In addition, if the client creates a new order during that time, the existing pending authorization will be attached to the new order, to prevent too many duplicate pending authorizations from accumulating.
Today, when an challenge is successfully validated, its corresponding authorization is then given a lifetime of 30 days. During that time, any new orders created by the same subscriber for the same name will be paired with that existing validated authorization, and issuance can occur without the client having to demonstrate control again.
However, when we conduct domain control validation, we actually check two things at the same time: whether the domain control challenge succeeds, and whether the domain has any CAA Records which would prevent us from issuing for that name.
The Baseline Requirements state that validated authorizations can be re-used for up to 398 days; hence our 30 days is already much shorter than the maximum allowable time. However, they also state that CAA checks can only be used for up to 8 hours. We keep ours around for 7 hours, to be safely under the limit.
This means that we have extensive infrastructure to enable rechecking CAA, to ensure that we're still allowed to issue when the validated authorizations are more than 7 hours old but less than 30 days old. These include an entire gRPC service, a post-hoc audit service, and extensive reuse logic. I'd like to be able to get rid of all of it.
Proposal
Shorten the lifetime of a validated authorization from 30 days to 7 hours, to match the lifetime of a CAA check.
Benefits:
- Allows us to remove the CAA rechecking infrastructure described above.
- Improves the overall security of the internet, by not allowing a single validation to continue to drive issuance for 30 days.
Drawbacks:
- Clients which request multiple orders for the same name within a 30-day period will have to complete multiple challenges, rather than reusing the first validated authorization.
- Clients which take more than 7 hours between completing their validations and finalizing their order will break.
Questions
Will reducing the authorization reuse lifetime from 30 days negatively affect your ACME clients or your Web service which use an ACME client? Would having to complete multiple challenges in a month have a negative effect on your operations?
Are you aware of any clients which leave orders open for extended periods of time? Are you aware of any use-cases for purposefully slow-rolling the finalization of an order?
Thanks, and I look forward to your feedback!