On Mon, Jul 27, 2015 at 5:11 PM, Salz, Rich <[email protected]> wrote:
>> I don't think I understand the IANA registry bit here. Is the idea that
>> FooCA registers something like FooCA-send-us-this-by-registered-mail, and
>> when the challenge is received by a client it looks at the IANA registry for
>> something it can parse into human interaction? How is that better than a
>> single "offline" challenge where the URL to check for the steps is in the
>> response?
>
> It lets a single "generic" client say "I don't understand the OmniPublish
> offline protocol" Or lets CA vendors ship plugin libraries for a generic
> ACME client (such as distributed by LetsEncrypt org). And yes, maybe it's
> not needed if the URL is something the human points their browser to.
I think you're over-thinking this. All we need here is a single
escape valve -- "I'm not going to validate this within ACME". Then
it's up to the CA to make sure that whatever web interface they refer
to explains different options. Syntactically, I would suggest
something like:
Challenge: { "type": "out-of-band", "href":
"http://example.com/how-to-validate"; }
Response: { "type": "out-of-band" }
>> This seems fairly low on the priority list, honestly, but if we are going to
>> do it, I think we need to have some thought to what happens at some of the
>> larger time scales. If months pass, the contact information may go stale,
>> to take a simple example.
>
> I think it's higher than that *if and only if* the commercial CA's find it
> something they could use.
I'm not an expert in EV, but I have a pretty hard time thinking of
ways to do EV without something like this. It's also a nice escape
valve to let CAs move things over to ACME incrementally, or to
innovate with new stuff before clients support it.
It seems like something like this would probably be sensible to add if
there are CAs that might use it.
--Richard
>
> _______________________________________________
> Acme mailing list
> [email protected]
> https://www.ietf.org/mailman/listinfo/acme
_______________________________________________
Acme mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/acme
