On Tue, Sep 27, 2016 at 06:13:17AM +0100, Hugo Landau wrote: > > The most likely out-of-band channel is email, right? So the CA would > > send out email informing their customers that there's a new ToS, and the > > customer needs to explicitly agree to it in the next N days, or they > > will be unable to use the service. > > > > There are a couple of options the CA could ask their customer to do for > > the next step: > > > > a) Click a link in the email, read the new ToS, and click "Agree" at > > the bottom. > > b) Click a link in the email, read the new ToS, and copy and paste the > > new ToS URL into the customer's ACME client config. > > > > I think (a) is both more user-friendly and more likely to be what a CA > > would actually implement. > > I agree that (a) would make sense for many users. However, providing an > e. mail address is not mandatory, and (b) is more automatable anyway. So > I'd expect most users to use (a) and users with large deployments or no > e. mail address registered to at least be able to use (b) if they > wanted.
And then there's the little question of emailing a few billion users vs' setting a notification bit in a response when they next connect to the service ... assuming we want this to be ubiquitous and scalable. _______________________________________________ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme
