At IETF 96 it was proposed to drop this issue: https://www.ietf.org/proceedings/96/minutes/minutes-96-acme.
The rationale from the notes is that nonces are not a scarce resource. However, cachability and idempotence of GETs were not addressed. I think it's worth not requiring nonces on GETs purely for those reasons. In practical terms, this difference has caused real bugs for Let's Encrypt. Would someone like to present a specific defense of providing a unique nonce with every GET? _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
