On 09/14/2016 01:14 AM, Ron wrote: > doing some sort of legal theatre lite where the client blindly sends
For better or for worse, there is some "legal theatre lite" required to get a certificate in the Web PKI. The Baseline Requirements require it. The question is: Do we automate it or do we not automate it? > a hard coded "sure, whatever you say, whenever you say it" flag. I am *not* proposing a "sure, whatever you say, whenever you say it" flag. I am proposing that ACME only needs to know how to agree on terms of service when creating an account. If the server later wants their users to agree to new terms, that can be readily be implemented with error codes and out-of-band URLs. You are proposing that ACME specify not only initial agreement, but also how to negotiate subsequent agreements. There is no need for this, specifically because those subsequent agreements cannot be automated. ACME is the Automated Certificate Management Environment. Why would we include extra plumbing that can only be used manually? > We could just provide a directory entry (which could even be optional) > that indicates where the terms can be found This exists, and is what my proposal is based on. > that any other use of the service indicates acceptance of those terms > (just like pretty much every other network service in existence does > without needing to kludge a contentless 'accept' bit into the protocol). I understand this proposal is an unappealing compromise. I feel the same way. I'd prefer to go all the way and remove explicit agreement to terms. Unfortunately, the BRs don't seem compatible with this. In another thread, Rich has asked if we are close to consensus. How strong are your objections? Are you willing to join the CA/Browser Forum as an Interested Party and propose the necessary change to the BRs? Thanks, Jacob _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
