[Servercert-wg] Discussion Period Begins - Ballot SC-071: Subscriber Agreement and Terms of Use Consolidation

Dimitris Zacharopoulos (HARICA) dzacharo at harica.gr
Fri Apr 19 18:06:55 UTC 2024

On 18/4/2024 7:58 μ.μ., Aaron Gable via Servercert-wg wrote:
>     1. Section 9.6.1 adds language that imposes or makes the following
>     requirements explicit:
>         i. the Subscriber has been provided with the most current
>         version of the Subscriber Agreement;
>         ii. the applicable Subscriber Agreement is the Subscriber
>         Agreement that was accepted when the Certificate was issued; and
>     I am aware that ACME RFC 8555 section 7.3.3 provides a mechanism
>     for updating the Subscriber Agreement ("Terms of Service" in the
>     RFC). The language above seems to imply that this mechanism must
>     be used whenever a CA changes their Subscriber Agreement. Has this
>     mechanism been deployed and used at scale?
> I concur that this appears to be a new requirement, not simply a 
> unification of the current SA and ToS language. That's surprising, 
> given the ballot description and purpose.
> The mechanism described in RFC 8555 Section 7.3.3 for ACME servers to 
> update the Subscriber Agreement is poorly designed, impractical, and 
> is not fully implemented by any ACME CA that I am aware of. 
> Specifically, the whole point of ACME is that it is automated -- 
> operators should not need to intervene except when they make changes 
> to their own systems. In fact, many ACME clients have no direct way to 
> reach their operators (i.e. no email or other notification 
> facilities), they just log to a file which the operator theoretically 
> reads but in practice wholly ignores. So an ACME CA breaking every 
> single ACME client until that client's operator takes manual action is 
> a non-starter.

I'm not sure I understand this concern. ACME clients provide a mechanism 
for the Applicant to "accept" the Terms of Service or Subscriber 
Agreement and signal that action to the CA. The ballot merely says that 
the CA must provide their latest ToU/SA to the Applicants (this can be 
done via a URL presented to the Applicant), and the Applicants must 
signal their acceptance before proceeding.

What happens if the SA/ToS document changes? I had the impression that 
the ACME client would be able to see the new version and ask that the 
updated version is accepted. How does this process work in practice?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240419/ea04197e/attachment.html>

More information about the Servercert-wg mailing list