I would like to keep it around. Part of the idea of the order and authorization objects is to provide some possibility of accounting for how a certificate was issued. Removing the "csr" would remove some of that transparency.
As Jacob points out, CAs are already required to keep around CSRs in audit logs. On Thu, Nov 30, 2017 at 5:25 PM, Daniel McCarney <[email protected]> wrote: > So my preference would be to remove the "csr" field from order objects, >> since it doesn't serve any purpose. > > > I agree. I don't think it makes sense to echo it back to the client that > sent it. +1 to removing. > > On Thu, Nov 30, 2017 at 4:01 PM, Jacob Hoffman-Andrews <[email protected]> > wrote: > >> On 11/30/2017 12:58 PM, Logan Widick wrote: >> > In the new finalizeURL approach to orders, do order objects need to >> > contain a CSR after a user attempted to finalize the order, or after >> > the order is finalized? Would the CA have to store the CSR after it's >> > posted, or after the certificate is issued? >> Good question. Previously, we expected that the CA had to store the CSR >> because it would need the public key in order to issue. With >> finalizeURL, we can get rid of that requirement. CAs are required to >> record CSRs in their audit logs, but there is no formal requirement to >> keep them in an online database. So my preference would be to remove the >> "csr" field from order objects, since it doesn't serve any purpose. >> >> Other thoughts? >> >> _______________________________________________ >> Acme mailing list >> [email protected] >> https://www.ietf.org/mailman/listinfo/acme >> > > > _______________________________________________ > Acme mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/acme > >
_______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
