> We'd like to start a short working group last call on the changes made in response to the previous last call. It will end June > 28th, 2017, any time zone (to accommodate any changes needed before the draft deadline the following Monday).
There is this sentence in the security considerations (10.2 Integrity of Authorizations) that strikes me as extremely misleading: "All of the challenges above have a binding between the account private key and the validation query made by the server, via the key authorization. The key authorization is signed by the account private key, reflects the corresponding public key, and is provided to the server in the validation response." The key authorization itself does NOT contain the signature of the account's key. It gets though signed by the account's key later on in the challenge response (not the validation response) over the ACME channel (not the validation channel). What about saying that in the chronological order of events: "The key authorization reflects the account public key, is provided to the server in the validation response over the validation channel and signed afterwards by the corresponding private key in the challenge response over the ACME channel" Best regards, Marcos _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
