My thoughts: - Requiring an explicit action against the order after the fulfilment of authorizations to cause issuance seems fine to me.
- I think moving the submission of the CSR to the end of this process is a mistake. The ACME protocol should permit CAs to implement policy as far as is reasonably practicable with regard to the workflows around which the protocol is organised. Providing the CSR up-front allows the CA to predicate order processing on aspects of that CSR, both with regard to the present protocol and any future extensions, both now and in the future in ways that we can and cannot foresee. I don't think it's appropriate to defer giving critical information to the CA until the last minute due to a resource utilisation concern which LE has already proven capable of dealing with, especially when the whole point of the order flow in the first place was to provide more flexibility for CAs to institute policy. A possible compromise would be to require the CSR to be submitted both on new-order and on finalization, but that's quite clumsy. _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
