[LinuxBender]

I second this. I know of companies that have thousands of certs, sub-domain wildcard certs, sub-domain certs and while the ideal world these would be automated many of the cert providers do not yet offer a consistent standardized API if even any API at all.

Today, over 50% of the certificates issued by the Web PKI rely on ACME.

This is not a great stat to base anything on as not all sites are equal. I can see most hobby, small business sites and new greenfield deployments having certs that utilize an ACME compatible API. Older businesses will have to drop what they are doing and shift priorities to make this happen. I foresee a lot of outages if they are not careful about determining a timeline. In my experience government offices will be the most challenging to get updated and automated and that could lead to some interesting compliance and regulatory violations.

In this same proposal, we introduced the idea of making Online Certificate Status Protocol (OCSP) services optional.

This part I agree with. That privacy leak should have been deprecated ages ago especially with OCSP stapling. Stapling support needs to be more widely adopted by more TLS terminating software and hardware.

[IcePic]

I find this comment a bit like if someone forces automation for something else, like building containers or deb/rpms of software releases (as opposed to .tgzs of the source) and this comment would be "nooo, we make thousands of releases and if we must automate it, it will be really hard on our engineers".

Yes, if you did not automate and if you buy from vendors who are not automation friendly, then it will be a certain challenge, BUT. If you actually HAVE a large deployment of manual certs, the automation would pay off rather quickly. If it is very cumbersome to renew all certs every 90 days, it can't be a breeze to do it every 365 days either.

[LinuxBender]

If it is very cumbersome to renew all certs every 90 days, it can't be a breeze to do it every 365 days either.

It's a PITA but at least it is spread out over 365 days. I am all for automation and have tried over multiple decades to get old / large companies to automate all the things. The devil is in the implementation details however and this may be a cart before the horse situation.

Missing foundational requirements are:

- ACME endpoints at all or most of the cert providers

- ACME test endpoints at all or most of the cert providers so people can test their shiny new automation ahead of time

- Ability to register wildcards using those endpoints vs. DNS as is required today by the free cert providers

Maybe the plus side is that this pushes all those companies onto the free providers but then there is the issue of rate limits. Most of these companies will show up to LE as 1-10 IP addresses via outbound SNAT's. LE will see this as a highly abusive user. The current API rate limits will need to be adjusted and the providers will need to ramp up their cert signing infrastructure. Has this been done?

Without a clear path and the above issues addressed then I suspect what is actually going to happen is that big companies will keep using their existing certs and will just update their process around the certs that live on the internet facing load balancers so that the browser is happy meaning that perhaps 3% of their certs now follow a new process.