On 08/05/2016 12:22 PM, Richard Barnes wrote: > #165 - Re-add new-authz as pre-authorization > https://github.com/ietf-wg-acme/acme/pull/165 Gave feedback on a separate thread. > #166 - Clarify 'url' field processing > https://github.com/ietf-wg-acme/acme/pull/166 LGTM > > #161 - Drop the OOB challenge > https://github.com/ietf-wg-acme/acme/pull/161 > <https://github.com/ietf-wg-acme/acme/pull/161> > LGTM > > > #162 - Add a protocol version > https://github.com/ietf-wg-acme/acme/pull/162 > <https://github.com/ietf-wg-acme/acme/pull/162> > Still thinking about this one. Seems sound at first glance, but I'm thinking about TLS version intolerance and https://www.imperialviolet.org/2016/05/16/agility.html.
> #163 - Make duplicate new-reg return 303 > https://github.com/ietf-wg-acme/acme/pull/163 > <https://github.com/ietf-wg-acme/acme/pull/163> > > (NB: I used 303 instead of 302 because I thought it was a better > fit after reading the HTTP spec. Nothing is going to be a perfect > fit here.) > https://tools.ietf.org/html/rfc7231#section-6.4.4 > <https://tools.ietf.org/html/rfc7231#section-6.4.4> > Agreed that nothing is a perfect fit here. In particular, common UA behavior is to turn a POST into a GET, which will fail because you can't GET a registration. However, we also don't want the UA to re-POST, because (a) the nonce will be used up already, and (b) the POST for a new-reg isn't the same as a POST for an existing registration. Can you provide more detail on the motivation for this change, both on-list and in the PR description?
_______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
