Why not allow both? We'd use (a) over (b), but if email isn't required, then (b) is certainly an acceptable method of confirming ToS acceptance.
-----Original Message----- From: Acme [mailto:[email protected]] On Behalf Of Hugo Landau Sent: Monday, September 26, 2016 11:13 PM To: Jacob Hoffman-Andrews <[email protected]> Cc: [email protected] Subject: Re: [Acme] Simplifying ToS agreement > The most likely out-of-band channel is email, right? So the CA would > send out email informing their customers that there's a new ToS, and > the customer needs to explicitly agree to it in the next N days, or > they will be unable to use the service. > > There are a couple of options the CA could ask their customer to do > for the next step: > > a) Click a link in the email, read the new ToS, and click "Agree" at > the bottom. > b) Click a link in the email, read the new ToS, and copy and paste > the new ToS URL into the customer's ACME client config. > > I think (a) is both more user-friendly and more likely to be what a CA > would actually implement. I agree that (a) would make sense for many users. However, providing an e. mail address is not mandatory, and (b) is more automatable anyway. So I'd expect most users to use (a) and users with large deployments or no e. mail address registered to at least be able to use (b) if they wanted. _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
