Hey all, Just posted a PR with a sketch of the "precondition" idea that we discussed at the F2F in Buenos Aires:
https://github.com/ietf-wg-acme/acme/pull/124 This change seems pretty simple, and I think it lets us hit a few pain points: * Wildcards: Just send the CSR in and let the CA tell you what to validate * Payment: Specify an "out-of-band" precondition * CA issuance flows: If the CA won't tell you how to authorize until you send in a CSR, this now lets the ACME server lead the client to do authorization after the new-cert request comes in. We may need a little more machinery here, e.g., to be able to have the new-authz endpoint say "that's not going to work directly, just request the cert". We may even want to just revise the flow, so that instead of reg-authz-cert, the default order is reg-cert-authz-cert. But I thought I'd go ahead and send this first pass out for feedback. What do people think? Thanks, --Richard
_______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
