> A client should attempt to fulfill at most one of these challenges, fulfill is an odd word. And "attempt" is an odd word in concert. I'm pretty sure you're trying to say to a client "once you've fulfilled a challenge, you do not need to fulfill any additional challenges", not "you should only try one challenge, and if you fail, you should not try to complete any of the others".
The "at most one" text is odd... I suppose a client could attempt to fulfill zero challenges, but that seems pointless. > and a server should consider any one of the challenges sufficient to make the > authorization valid. I think something like: A server SHOULD treat the challenges portion satisfied when a client fulfills one challenge. That should be sufficient to tell client implementations that they need to complete one, and that they don't need to complete more than one. Without telling them that if they try one and fail, they shouldn't try a different one. FWIW, as a user, I run into this portion of the spec often. Typically my client tries https or http. But a friendly client would be willing to try both, stopping if the first one it tries completes, but continuing to the second if the first fails. _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
