On 09/14/2016 01:14 AM, Ron wrote:
> doing some sort of legal theatre lite where the client blindly sends

For better or for worse, there is some "legal theatre lite" required to
get a certificate in the Web PKI. The Baseline Requirements require it.
The question is: Do we automate it or do we not automate it?

> a hard coded "sure, whatever you say, whenever you say it" flag.

I am *not* proposing a "sure, whatever you say, whenever you say it"
flag. I am proposing that ACME only needs to know how to agree on terms
of service when creating an account. If the server later wants their
users to agree to new terms, that can be readily be implemented with
error codes and out-of-band URLs.

You are proposing that ACME specify not only initial agreement, but also
how to negotiate subsequent agreements. There is no need for this,
specifically because those subsequent agreements cannot be automated.
ACME is the Automated Certificate Management Environment. Why would we
include extra plumbing that can only be used manually?

> We could just provide a directory entry (which could even be optional)
> that indicates where the terms can be found

This exists, and is what my proposal is based on.

> that any other use of the service indicates acceptance of those terms
> (just like pretty much every other network service in existence does
> without needing to kludge a contentless 'accept' bit into the protocol).

I understand this proposal is an unappealing compromise. I feel the same
way. I'd prefer to go all the way and remove explicit agreement to
terms. Unfortunately, the BRs don't seem compatible with this.

In another thread, Rich has asked if we are close to consensus. How
strong are your objections? Are you willing to join the CA/Browser Forum
as an Interested Party and propose the necessary change to the BRs?


Acme mailing list

Reply via email to