I'd like to propose a change that allows clients of the ACME protocol to
obtain the URL to the CA's current Terms of Service (if any) without
re-registering or trying to obtain a certificate and getting a failure
response.

This proposal has two parts: adding an entry to the directory, and adding
the current ToS URL to response headers.

Section 6.2 explains the directory, and adding an entry to the directory
seems logical:

{
  "new-reg": "https://example.com/acme/new-reg";,
  "recover-reg": "https://example.com/acme/recover-reg";,
  "new-authz": "https://example.com/acme/new-authz";,
  "new-cert": "https://example.com/acme/new-cert";,
  "revoke-cert": "https://example.com/acme/revoke-cert";,
*  "agreement-url": "https://example.com/acme/subscriber-agreement-v01.pdf
<https://example.com/acme/subscriber-agreement-v01.pdf>",*
}

Additionally, including the current ToS in response headers of a failed
request will allow clients to show the current terms and re-prompt the user
immediately, if available. Something like this:

*Agreement-URL: https://example.com/acme/subscriber-agreement-v01.pdf
<https://example.com/acme/subscriber-agreement-v01.pdf>*

Both of these could be optional (as the CA sees fit), but it makes it
possible for clients to offer a better user experience.

Thanks,
Matt Holt
_______________________________________________
Acme mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/acme

Reply via email to