> I don't see a problem with having the directory show that the current > ToS is "version 3", and the registration object show that explicit > assent was obtained for "version 1", and leaving it up to the legal > acrobatics in the text of version 1 to say that explicit assent isn't > required for the "or later version" terms to apply automatically at > some point in time. In this case a client should have some way to determine if explicit re-agreement is required. An "agreement-valid": bool field would suffice for this.
> Yes, but this was an issue with Boulder's implementation, not the > protocol per-se. I personally found it surprising that it allowed > this, but the protocol didn't force it to[1] - it could have refused > any new-reg request without an acceptance instead of just disallowing > later operations until one was received. > > There were at least some clients that were submitting the acceptance > with the initial new-reg request. Fairly sure the only way to determine the ToS URI is by registering first so you can get it from the Link header. The ToS URI still isn't available in boulder's directory: https://acme-v01.api.letsencrypt.org/directory So if any clients were submitting the ToS URI they must have been hardcoding it, which is a terrible practice. _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
