[Acme] Responding to challenges - spec bug?

Mon, 20 May 2019 08:57:07 -0700 

RFC8555 sections 8.3 (http-01) and 8.4 (dns-01) both say:
   'A client responds with an empty object ({}) to acknowledge that the
    challenge can be validated by the server.'

Section 7.5.1, which is apparently intended to apply to all challenge 
types (including challenge types defined in other documents), says the 
same thing...
   'The client indicates to the server that it is ready for the challenge
    validation by sending an empty JSON body ("{}") carried in a POST
    request to the challenge URL (not the authorization URL).'
....but then, after showing an example HTTP request, it goes on to say...
   'The server updates the authorization document by updating its
    representation of the challenge with the response object provided by
    the client.  The server MUST ignore any fields in the response object
    that are not specified as response fields for this type of challenge.
    Note that the challenges in this document do not define any response
    fields, but future specifications might define them.'

So it seems that the 'empty JSON body "({})"' is intended to be 
interpreted by the ACME server as a "response object" that (depending on 
the challenge type) "might define" some "response fields".  However, if 
any response fields are defined and included in the JSON body then the 
client will no longer be sending the 'empty JSON body ("{}")' that 
section 7.5.1 says it's supposed to send...
   'The client indicates to the server that it is ready for the challenge
    validation by sending an empty JSON body ("{}") carried in a POST
    request to the challenge URL (not the authorization URL).'

How would folks feel about an erratum to change that sentence in section 
7.5.1 to the following:
   'The client indicates to the server that it is ready for the challenge
    validation by sending a POST request to the challenge URL (not the
    authorization URL), where the body of the POST request is a JWS
    object whose JSON payload is a response object (see Section 8).  For
    all challenge types defined in this document, the response object is
    the empty JSON object ({}).'
?

-- 
Rob Stradling
Senior Research & Development Scientist
Sectigo Limited

_______________________________________________
Acme mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/acme

Reply via email to