Speaking not as chair, I think an "out of band" makes a great deal of sense. The challenge should have some opaque token that is used; perhaps the URI is enough. And the response should be some opaque token that the server can use to verify that the challenge was completed (e.g., an opaque ref to an internal transaction-id).
-- Senior Architect, Akamai Technologies IM: [email protected] Twitter: RichSalz _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
