On Mon, Mar 05, 2018 at 09:11:02 -0500, Felipe Gasper wrote: > Regarding alternative formats, I think ACME over WebSocket would be a great > thing. Replay-nonce would go away, and clients wouldn’t need to poll for the > certificate unless the connection dropped. The server could send the > certificate as soon as it’s ready. A simple handshake at the start could take > the place of JWS, too.
Moving to websocket would mean having to specify a new websocket based protocol and reimplementing all servers/clients. You'd also need to consider MitM (e.g. by CDN or expensive enterprise MitM appliances). Doing a handshake at the beginning won't be enough to keep those from taking over a session after the handshake. If you wanted to eliminate the polling, it would be possible to change the finalize endpoint to return the certificate directly, even if it takes a while until the HTTP response is sent. Anyway, I'm satisfied with the current protocol. Complexity should (and can) be addressed by client implementors.
signature.asc
Description: PGP signature
_______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
