On 08/21/2016 04:31 PM, Richard Barnes wrote: > How about this as a compromise proposal: Have the JWS header contain > *both* the account URL and the account public key. That way you get > fast rejection based on crypto failures, and you also get protection > against any issues related to relying on public keys alone. This doesn't achieve the goal of making sure that ACME servers are validating based on account data they already have, rather than validating based on a key provided in the request.
_______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
