asking people filing certificates to file for 90d-1s is a huge pita. well, i guess it's LE that does the filing. but this 1s changes how cron jobs & other downstream systems would have to behave in a frustrating, ever shifting way.
i've done some contributions to an aws/okta authenticator program (https://github.com/jonathanmorley/oktaws) and live in fear of some policy engine or bug report like this that makes our particular corporate "12 hour maximum" policy require folks to change their requested token durations from 43200 seconds to 43199 seconds. i've thought about pre-emptively silently subtracting a second from what people request, but as a pre-emptive guard it seemed a little extreme.
the bug report is accurate, but it's SRG CPS v3.2 Section 7.1 that should be updated, to not be annoying. the situations are a little different- oktaws's users really do use a token till it expires, where-as hopefully LE users are renewing their tokens before the last second. but allowing an extra inclusive second, not being pedantic about time, seems good. extra marginal cost to validators be damned.
i've done some contributions to an aws/okta authenticator program (https://github.com/jonathanmorley/oktaws) and live in fear of some policy engine or bug report like this that makes our particular corporate "12 hour maximum" policy require folks to change their requested token durations from 43200 seconds to 43199 seconds. i've thought about pre-emptively silently subtracting a second from what people request, but as a pre-emptive guard it seemed a little extreme.
the bug report is accurate, but it's SRG CPS v3.2 Section 7.1 that should be updated, to not be annoying. the situations are a little different- oktaws's users really do use a token till it expires, where-as hopefully LE users are renewing their tokens before the last second. but allowing an extra inclusive second, not being pedantic about time, seems good. extra marginal cost to validators be damned.