> The only type of identifier defined by this specification is a > fully-qualified domain name
> To enable ACME account binding, a CA needs to provision the ACME client with > a MAC key and a key identifier. The key identifier MUST be an ASCII string. > The MAC key SHOULD be provided in base64url-encoded form, to maximize > compatibility between provisioning systems and ACME clients. > The "kid" field MUST contain the key identifier provided by the CA It feels to me that the spec defines "kid" as a "key identifier", which has the word "identifier" in it. I think that this spec is trying to say that the only identifier type that ACME is defining for the purposes of vouching is FQDN/"dns", but that isn't what the plain language says. ---- > The value of the identifier MUST be the ASCII representation of the domain > name. If I were in review mode and making changes, I'd change this instance of "identifier" to "dns identifier", but it probably will require other cascading changes. The other approach is to change "key identifier" to something which doesn't conflict with "identifier". Personally, I'd much rather the former than the latter, but both require careful work instead of spot changes (and thus they're out of scope for my current PR commit series -- which has nearly 20 individual changes to date). _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
