Yeah, I agree that the intent here is for the CSR to match the certificate in all material respects.
This does require the client to know what it wants, so it knows what to put in the CSR. Do you have a use case where that's not the case? On Thu, Aug 17, 2017 at 9:54 AM, Salz, Rich <[email protected]> wrote: > > It's unclear to me whether an ACME CA is allowed to issue a cert with > a superset of identifiers that were requested in the order. I see the > language: > > > The server MUST return an error if it cannot fulfill the request as > > specified, and MUST NOT issue a certificate with contents other than > > those requested. > > The “and MUST NOT” clause means that both parts are required to be true. > So if you ask for A B and you are given A B C then the server was not > compliant. > > _______________________________________________ > Acme mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/acme >
_______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
