I'd like to try to close the loop on this. I'm hearing pretty broad agreement here on a few points:
- We should keep the full URL in the agreement field - The server can update that URL if it doesn't need re-agreement - The server should indicate the need for agreement with an error Based on that, I've put together a PR that does the following: - Add an "agreementRequired" error type - Require the server to return that error type and the ToS URL when it requires (re-)agreement - Allow the server to update the agreement URL if re-agreement is not required https://github.com/ietf-wg-acme/acme/pull/182 On Sat, Aug 6, 2016 at 2:30 PM, Jacob Hoffman-Andrews <[email protected]> wrote: > Let's Encrypt recently did its first update of its Subscriber Agreement, > and ran into some incompatibility. The current spec makes it seem like > the client should update the registration object whenever the Subscriber > Agreement (known in ACME as terms-of-service) changes. > > However, early in drafting LE's Subscriber Agreement, we realized that > if we required human approval of Subscriber Agreement changes, that > would break auto-renewal. So our Subscriber Agreement says that updates > automatically apply to existing users after a notice period.* > > The existing ACME terms-of-service flow is an awkward hold-over from > when we treated the new-reg URL as the entry point. Currently you create > an account, get told the ToS URL, and update the account object with > that URL. That then gets stored as a property of the registration object > forever. > > Now that we have the directory object, and it contains a > terms-of-service URL, we can say that for CAs with a terms-of-service > URL, you must agree before you can create an account. We can have an > "agree": true field in the new-reg POST to signal agreement to the > current terms-of-service from the directory object. Then the > terms-of-service URL doesn't need to be a permanent part of the > registration object, and we can avoid ambiguity over whether and when > clients need to update or check it. > > What do you think? > > > > > *As much as I dislike these types of agreement as a consumer, I think > it's the only reasonable approach to allow robust automatic issuance > > _______________________________________________ > Acme mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/acme >
_______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
