[
  {
    "criterion": "Time per renewal",
    "manual_management": "Human intervention at every deadline (CSR, validation, deployment, reload)",
    "automated_acme_management": "Zero-touch: the ACME client renews and deploys with no intervention"
  },
  {
    "criterion": "Outage risk",
    "manual_management": "High: 86% of organizations suffered a certificate-related outage within the year",
    "automated_acme_management": "Low: anticipated renewal, scheduled retries, and independent monitoring"
  },
  {
    "criterion": "Max sustainable scale",
    "manual_management": "A handful of well-controlled servers (spreadsheet + discipline)",
    "automated_acme_management": "Hundreds to thousands of heterogeneous certificates"
  },
  {
    "criterion": "DCV revalidation (10-day window)",
    "manual_management": "Unmanageable: a manual domain revalidation at every renewal",
    "automated_acme_management": "Transparent via the DNS API and the automated DNS-01 challenge"
  },
  {
    "criterion": "Crypto-agility",
    "manual_management": "Low: invisible fleet, algorithm migration impossible at scale",
    "automated_acme_management": "High: rotation muscle ready for post-quantum migration (ML-KEM, ML-DSA)"
  },
  {
    "criterion": "Operational cost (1000 certs at 47 days)",
    "manual_management": "More than 7,700 renewals a year, or 21+ daily operations beyond human reach",
    "automated_acme_management": "Load absorbed by the ACME/ARI loop, smoothed and exempt from rate limits"
  }
]
