On 24 March 2016 at 09:33, Karthik Bhargavan <karthikeyan.bharga...@inria.fr> wrote: > Emails with clickable links are *BAD*; we should enhance their security by > linking them better with > the ACME account key.
FWIW, I think that a clickable link could be possible, it just wouldn't be able to point to the server. If, as you suggest, the point is to give the ACME client a fresh secret, then the link could be changed from: https://acme.server.example/recover/<secret> to acme:recover:<secret> Most operating systems understand how to invoke local software in response to that and your proposed flow behaves much the same from a user perspective. That isn't *as* good as your proposal, I don't think, but it might have some usability advantages. _______________________________________________ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme