There has been some confusion[0][1] around the relationship between the "identifiers" and "authorizations" arrays in an order object. Because one particular ACME implementation[2] returns an authorization for each identifier in an order some developers made assumptions about the order of the "authorizations" and "identifiers" fields in an order matching.
There is no language in-spec that dictates the order of elements in fields. Since server policy allows for a design in which an order object has less authorizations than identifiers defining a sort order isn't especially helpful anyway. There is no guaranteed 1:1 relation between identifiers and authorizations. I opened a PR[3] to indicate client developers SHOULD NOT assume a sort order for the "identifiers", "authorizations" or "challenges" fields in server responses. This PR also includes an explicit mention that there is no guaranteed 1:1 relationship between an order's identifiers and its authorizations. - Daniel / cpu [0] - https://community.letsencrypt.org/t/dns-based-validation-fails-on-renew/59027 [1] - https://github.com/ietf-wg-acme/acme/issues/419 [2] - https://github.com/letsencrypt/boulder [3] - https://github.com/ietf-wg-acme/acme/pull/421
_______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
