On Thu, Jan 11, 2018 at 22:24:04 +0100, Richard Koerber wrote: > > Your typical workflow, as I understand the specs, could be: > > > > * Register an account with your CA, e.g. register on their website, using > > username + password. > > * On their website click the "generate ACME key". > > * Website displays a key_id (e.g. your username) and a random MAC. > > * You create an asymmetric ACME account keypair (e.g. RSA or ECC). > > * You create a JWS using your username + MAC. > > * You call the newAccount endpoint using your new asymmetric keypair. > > Payload includes the JWS from previous step. > > * For all subsequent operations you use your asymmetric acme account key > > pair. You can forget about your MAC. > > What is the role of the "kid" field in the protected header, when using > external account binding? > > According to the specs, the "kid" field usually contains the account URL. > > But what is it when the account is bound externally? Does the "kid" field > contain the key identifier from CA (the same that was used in the > externalAccountBinding subfield)? Or is it still the account URL?
Assuming you've created your account with externalAccountBinding, then you received a new account URL from the ACME server. You need to use that URL as the "kid" for all requests.
signature.asc
Description: PGP signature
_______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
