I omitted "would" from my previous comment, but I think it's pretty clear from Francis' comment that we're discussing a hypothetical situation, and neither of us know if any of the 645 affected certificates were requested by Caddy or not.
I skimmed the forum links (it would be productive if you could send a email summarizing your thoughts to the IETF ACME WG) and it seems like your complaints could also be said of OCSP so it's hard to figure out why OCSP is OK for Caddy but ARI isn't.
FWIW, there's currently a ballot in the CABF which would make OCSP optional for CAs, so OCSP may be on the way out in the WebPKI.
So yes, that would be news to me. I'm asking for more information. If Caddy did not serve broken certificates, then I would appreciate clarification there so I know where to spend my energy.
> (it would be productive if you could send a email summarizing your thoughts to the IETF ACME WG)
I did this once and it was like talking into a black hole. All the responses I got to the issue I brought up were laced with complacency.
> I skimmed the forum links and it seems like your complaints could also be said of OCSP so it's hard to figure out why OCSP is OK for Caddy but ARI isn't.
Because OCSP does what it's intended to do. ARI does not.
> FWIW, there's currently a ballot in the CABF which would make OCSP optional for CAs, so OCSP may be on the way out in the WebPKI.
I am tracking that proposal and get daily notifications. It is only for short-lived certs. I would be thrilled if we could replace revocation -- and OCSP -- with short-lived certs.
> So yes, that would be news to me. I'm asking for more information. If Caddy did not serve broken certificates, then I would appreciate clarification there so I know where to spend my energy.
This is not engaging in good faith.
> I am tracking that proposal and get daily notifications. It is only for short-lived certs.
It would make OCSP optional for all certificates. CRLs would be optional only for short-lived certs.
When I read the thread in context, it's clear that the response is within the hypothetical raised in the very first comment "if those websites used Caddy", that hypothetical.
The response has the understood "No, even in that hypothetical, this is the case", and doesn't explicitly say it's in the hypothetical, but in context it clearly is.
Your first response to that, missing the context and asking for "more info", well, miscommunications happen, that's fine.
What seems obviously not in good faith is that the parent commenter clearly then explains themselves with "we're discussing a hypothetical situation", and you ignored that, and responded as if they hadn't explained it.
The whole thread is confusing then. I definitely didn't read it as hypothetical, especially since:
> What seems obviously not in good faith is that the parent commenter clearly then explains themselves with "we're discussing a hypothetical situation", and you ignored that, and responded as if they hadn't explained it.
No, @agwa replied directly with a very non-hypothetical response: "That's news to you? I informed you last week that Caddy would serve broken certificates in this situation," implying that the conversation is not being carried hypothetically.
The only way I can understand your confusion is if you stopped reading at that point, and completely missed the sentence immediately following the one you just quoted:
> I omitted "would" from my previous comment, but I think it's pretty clear from Francis' comment that we're discussing a hypothetical situation, and neither of us know if any of the 645 affected certificates were requested by Caddy or not.
That's news to you? I informed you last week that Caddy would serve broken certificates in this situation: https://news.ycombinator.com/item?id=36344549
I omitted "would" from my previous comment, but I think it's pretty clear from Francis' comment that we're discussing a hypothetical situation, and neither of us know if any of the 645 affected certificates were requested by Caddy or not.
I skimmed the forum links (it would be productive if you could send a email summarizing your thoughts to the IETF ACME WG) and it seems like your complaints could also be said of OCSP so it's hard to figure out why OCSP is OK for Caddy but ARI isn't.
FWIW, there's currently a ballot in the CABF which would make OCSP optional for CAs, so OCSP may be on the way out in the WebPKI.