Hi, challenge tokens "MUST have at least 128 bits of entropy", at the same time it seems trivial to guess order and authorization URLs like the ones used in the examples. It seems natural, that URLs MUST be generated with the same amount of entropy. But I couldn't find that in the draft.
For account objects, GET request are not allowed: Servers SHOULD NOT respond to GET requests for account resources as these requests are not authenticated. This suggests that all non-expiring URLs should be protected in this way. At least for orders lists, this protection is missing. Best, Sophie _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
