On Fri, Aug 11, 2023 at 06:30:49PM +0000, Tim Hollebeek wrote: > > -----Original Message----- > > From: Acme <[email protected]> On Behalf Of Ilari Liusvaara > > > > And it seems like that can be extended that to cases where ACME does not > > require POP by just having the ACME server immediately accept the pseudo- > > authorization. > > I think if the server doesn't want PoP, they should just omit the > challenge, instead of doing a pseudo-authorization. > > Including a "do nothing" authorization just to satisfy the protocol > police has the risk of confusing people and making them think PoP > has been performed when it hasn't.
I was not thinking about satisfying the protocol police, but about necressary signaling to the client. And there probably are better ways to do that. And it occurs to me that combining profiles, key-up-front and implicit finalization (order moving to "processing" instead of "ready" after all authorizations have been completed) would remove some footguns on both client (applicant/subscriber) and server (CA) side. -Ilari _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
