https://tools.ietf.org/html/rfc8555#section-8.2 says: 'The server MUST add an entry to the "error" field in the challenge after each failed validation query.'
And https://tools.ietf.org/html/rfc8555#section-8 says: 'A challenge object with an error MUST have status equal to "invalid".' The state transition diagram for challenge objects (https://tools.ietf.org/html/rfc8555#section-7.1.6) appears to indicate(*) that "invalid" is a final state for a challenge object, meaning that it is no longer possible for it to transition to "valid" and that retrying the challenge would therefore be pointless. ISTM that the "error" field could be a very useful feedback mechanism inbetween retries, and that a challenge should only go to the "invalid" state once the ACME server has stopped retrying validation queries for that challenge. Is this what the authors intended? Do folks agree that 'A challenge object with an error MUST have status equal to "invalid"' is a bug in the spec? (*) I wonder if I'm reading the state transition diagrams correctly... In section 7.1.6, the state transition diagram for authorization objects shows that "invalid" is a final state...right? But if that's the case, why does this sentence not list "invalid" as a final state? 'The order also moves to the "invalid" state if it expires or one of its authorizations enters a final state other than "valid" ("expired", "revoked", or "deactivated").' -- Rob Stradling Senior Research & Development Scientist Sectigo Limited _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
