On Thu, Jan 11, 2018 at 16:11:39 +0100, Robert Kästel wrote: > Is external account binding supposed to always use the MAC key and external > CA kid for signing subsequent requests?
> Or is the client supposed to generate a new account key pair that gets > associated with the external CA kid after external account binding, and > uses that to sign subsequent requests? The latter one. Your typical workflow, as I understand the specs, could be: * Register an account with your CA, e.g. register on their website, using username + password. * On their website click the "generate ACME key". * Website displays a key_id (e.g. your username) and a random MAC. * You create an asymmetric ACME account keypair (e.g. RSA or ECC). * You create a JWS using your username + MAC. * You call the newAccount endpoint using your new asymmetric keypair. Payload includes the JWS from previous step. * For all subsequent operations you use your asymmetric acme account key pair. You can forget about your MAC.
signature.asc
Description: PGP signature
_______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
