Hey Ted, Sorry for the delay. Processing PRs again today.
> What's the actual range of things that we believe the user may be asked to > complete? Could the server re-use the proof-of-possession methods for > baseline assignment? > > Reading this, it also struck me that the "clicking a link in an email" could > be taken as the link to the page to which the POST request should be sent. > I don't think that's what's intended here though (it's meant to be two-step, > right?) That's right. This recovery method was deliberately left very open-ended to let CAs craft their own recovery modalities. The user will have to do *something* to demonstrate control of the contact address, but maybe a CA wants to have something like a CAPTCHA in front of the recovery process, or take a reply to an SMS as sufficient. As we have this discussion, though, it seems like we should probably do one of the following two things: 1. Further nail down what the server has to do for contact-based recovery (e.g., providing something unpredictable in the contact) 2. Punt recovery completely out of ACME by just having a recovery URI that a human needs to visit for instructions. I'm honestly sort of inclined toward the latter. In any case, it doesn't seem like any of this is blocking on *removing* MAC-based recovery (#41), just clarifying what we should do with what remains. --Richard _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
