Thanks for the review Daniel.
I created a github issue to track:
https://github.com/upros/acme-subdomains/issues/2
From: Acme <acme-boun...@ietf.org> On Behalf Of Daniel Migault
Sent: 09 December 2021 06:26
To: acme@ietf.org
Subject: [Acme] question regarding -subdomains-00 section 5
Briefly looking at the flows of section 5 I do have the following
questions/comments.
| POST /challenge | |
|--------------------------->| |
| | Verify |
| |---------->|
| 200 status=valid | |
|<---------------------------| |
I believe the 200 response is the response to the POST / Challenge
extrapolating the POST-as-GET to the order resource.
[ofriel] Correct.
My understanding is that the purpose of the POST is to indicate the challenge
can be checked by the ACME server. It has a challenge url as well as an empty
JSON payload {}.
The POST-as-GET purpose would be to check the status of the authorization
resource. It has an new-order url and a void payload.
If the 200 status=valid is a response to a POST /challenge, I am wondering if
that is a common practice for ACME server to delay the response of a POST
/challenge and to have the client inferring the 200 status=valid will be
reflected in the authorization and later in the order with a status=ready or
valid.- assuming the the order requires a single authorization. When multiple
authorizations are involved, the ACME client would need to keep track of those.
I might also have missed this in 8555.
[ofriel] https://datatracker.ietf.org/doc/html/rfc8555#section-7.5.1 states:
“Usually, the validation process will take some time, so the client
will need to poll the authorization resource to see when it is
finalized”
So you are correct, the usual flow is an immediate response to the client with
a status=processing, and then the client polls until it gets a response with
status=valid. I guess the operative word in the acme-subdomains doc is
*Illustrative* call flow, but I could add a processing response and a client to
server poll to the call flow to make it clearer and align with the ‘usual’ flow
if there is consensus that that will make things clearer.
The ACME spec is pretty flexible and not proscriptive here. And yes, if the
client has multiple pending authorizations, then yes it will have to track
these different pending objects.
I do have a similar question regarding the finalize order exchange.
Beginning of page 12, given the text on page 11, and the introduction to step
2, it seems maybe clearer to set the status of the authorization object to
"valid".
[ofriel] Maybe it becomes clearer if I split the paragraph. I can put the
second sentence “Once the client completes the challenge, the server will
transition the authorization object and associated challenge object status to
"valid". “ after the example STEP 1 JSON.
STEP 2:
"""
As an authorization object already exists for the parent ADN of the
Domain Namespace, the server replies with an order object with a
status of "valid" that includes a link to the existing "valid"
authorization object.
"""
I have the impression an order has its status set to valid once the certificate
has been issued. In STEP 2, my understanding is that authorization has been
validated and the order has not been finalized, so I would have expected a
status set to ready.
I have the same issue in STEP 3.
[ofriel] Correct for both steps, will update to “ready”.
Yours,
Daniel
--
Daniel Migault
Ericsson
_______________________________________________
Acme mailing list
Acme@ietf.org
https://www.ietf.org/mailman/listinfo/acme
