Thoughts on Advancing ARI Adoption and Its Implementation in ACME Clients
161 views
Skip to first unread message
Arabella Barks
Oct 16, 2025, 9:21:31 AM (8 days ago) Oct 16
to dev-secur...@mozilla.org
Hello all,
This is Arabella.
Today, while reviewing various ACME clients, I observed that several popular ones have not yet implemented the ARI(Automatic Renewal Information) feature. This is despite the fact that ARI is now supported by major ACME CAs(Let's Encrypt, Google Trust Services).
It seems that for various reasons, whether financial or resource-related, the implementation of ARI in some widely-used clients has been delayed(e.g: acme.sh, acmephp). This lag could potentially hinder the certificate replacement and revocation process during a Massive Revocation Incident, as CAs, for practical and business reasons, often prefer to wait until users have replaced their certificates before revoking the old ones.
This leads me to a thought: since the delayed adoption of ARI in these clients directly impacts the ability of CAs to efficiently manage potential Massive Revocation Incidents, why don't commercial CAs consider providing financial or development&pull requests support to the open-source ACME client community? By assisting open-source maintainers and projects, we could accelerate the implementation of ARI and collectively contribute to a more robust and healthier webPKI ecosystem.
I welcome and look forward to expanding this discussion.
Best regards,
Arabella
This is Arabella.
Today, while reviewing various ACME clients, I observed that several popular ones have not yet implemented the ARI(Automatic Renewal Information) feature. This is despite the fact that ARI is now supported by major ACME CAs(Let's Encrypt, Google Trust Services).
It seems that for various reasons, whether financial or resource-related, the implementation of ARI in some widely-used clients has been delayed(e.g: acme.sh, acmephp). This lag could potentially hinder the certificate replacement and revocation process during a Massive Revocation Incident, as CAs, for practical and business reasons, often prefer to wait until users have replaced their certificates before revoking the old ones.
This leads me to a thought: since the delayed adoption of ARI in these clients directly impacts the ability of CAs to efficiently manage potential Massive Revocation Incidents, why don't commercial CAs consider providing financial or development&pull requests support to the open-source ACME client community? By assisting open-source maintainers and projects, we could accelerate the implementation of ARI and collectively contribute to a more robust and healthier webPKI ecosystem.
I welcome and look forward to expanding this discussion.
Best regards,
Arabella
Reply all
Reply to author
Forward
0 new messages