RFC 8555, "Automatic Certificate Management Environment (ACME)", March 2019

Errata ID: 5771
Status: Rejected
Type: Technical
Publication Format(s) : TEXT
Reported By: Rob Stradling
Date Reported: 2019-07-02
Rejected by: Benjamin Kaduk
Date Rejected: 2019-07-17

Section 7.1.1 says:

Clients access the directory by sending a GET request to the
directory URL.

It should say:

Clients access the directory by sending a GET request to the directory
URL.  Before making a request to any URL from the directory, the client
MUST evaluate whether the directory object is still fresh according to
the Cache-Control header(s) received when that directory object was
accessed.  If no Cache-Control header(s) were received, the client MUST
act as if "Cache-Control: no-cache" was received.  If the directory
object is no longer fresh, the client MUST access the directory again
(by sending another GET request to the directory URL) and then use the
updated directory object.

Notes:

The original text is underspecified, because it doesn't say how long a directory remains valid. A server should be able to update its directory (e.g., to add support for newAuthz, to update the termsOfService URL, etc) without having to worry about clients holding on to stale directory objects.
Whilst in practice many clients tend to re-fetch the server's directory object frequently, I think that it's unwise to leave this to chance.
--VERIFIER NOTES--
WG consensus per the thread including https://mailarchive.ietf.org/arch/msg/acme/I2oeALKJTyCwlMOp1v9BTadahyE is to reject the proposed erratum.

Report New Errata