> Your typical workflow, as I understand the specs, could be: > > * Register an account with your CA, e.g. register on their website, using > username + password. > * On their website click the "generate ACME key". > * Website displays a key_id (e.g. your username) and a random MAC. > * You create an asymmetric ACME account keypair (e.g. RSA or ECC). > * You create a JWS using your username + MAC. > * You call the newAccount endpoint using your new asymmetric keypair. > Payload includes the JWS from previous step. > * For all subsequent operations you use your asymmetric acme account key > pair. You can forget about your MAC.
What is the role of the "kid" field in the protected header, when using external account binding? According to the specs, the "kid" field usually contains the account URL. But what is it when the account is bound externally? Does the "kid" field contain the key identifier from CA (the same that was used in the externalAccountBinding subfield)? Or is it still the account URL? Regards Richard Körber _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
