On 07/08/2016 04:02 PM, James Kasten wrote: > It seems unfortunate that with this PR, the only guaranteed way to > begin the ACME process is by posting a failed registration request.
The feedback about sending a failed POST to get your first nonce, and 400's not being recoverable, makes a lot of sense. I'll add a separate POST endpoint that just gets a nonce. I think having GET /directory return the first nonce isn't great, because (a) /directory is actually one of the most commonly fetched URLs, and doesn't necessarily imply an intention to proceed with issuance, and (b) it violates the norm that GETs should be idempotent, and makes caching of the otherwise cacheable /directory impossible. > Additionally, I have seen some clients which fetch the directory before each submission for a fresh nonce, yielding at least twice as many nonces as they need. (Example: https://github.com/diafygi/letsencrypt-nosudo/blob/master/sign_csr.py#L26 ) With this PR, clients may be inclined to simply perform all of their transactions twice to get the same "nonce_req" result. This is a good point. I waffled on whether successful POSTs should be required to return a nonce, or only allowed, but I agree that making it optional would encourage the double-POSTing client design, which is relatively wasteful.
_______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
