I think I'm missing the point of DV end user client certificate. Most CA
already gives cert with both Server Authentication and Client
Authentication when they signs a TLS certificate. So I'm not sure why
anyone would bother to set up for additional challenge to get a
client-limited usage certificate.
for personal identity verification, maybe electronic ID cards like
bio-metric passport can be used? e-boarder but happens remotely? not
sure if we can trust client's camera/fingerprint sensor/etc in this
context though.
and as ACME (by rfc8555) doesn't get CSR until they finalize the order
that happens after verification
_______________________________________________
Acme mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/acme
