On 11/30/2017 12:58 PM, Logan Widick wrote: > In the new finalizeURL approach to orders, do order objects need to > contain a CSR after a user attempted to finalize the order, or after > the order is finalized? Would the CA have to store the CSR after it's > posted, or after the certificate is issued? Good question. Previously, we expected that the CA had to store the CSR because it would need the public key in order to issue. With finalizeURL, we can get rid of that requirement. CAs are required to record CSRs in their audit logs, but there is no formal requirement to keep them in an online database. So my preference would be to remove the "csr" field from order objects, since it doesn't serve any purpose.
Other thoughts? _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
