On Wed, Mar 20, 2024 at 08:57:11PM -0400, Amir Omidi wrote: > I do think that this draft can do a better job describing the scope. I > think we should make it more explicit for the client to understand which > one will be used. I feel like splitting this challenge into three (and > potentially more, as extra scopes may or may not be added into the future) > might be a little too noisy. > > What do you think about a `scope` field in the authorization resource the > server sends creates/communicates with the client? Clients opting into > dns02, or dns-account-01 will use this to know exactly what scope the > server is expecting from them for their ACME order.
The problem with this is that there might be multiple valid scopes, not just a single valid scope. And clients often have only one that will work, the rest will fail (often in rather bad ways). The obvious scope is is host/wildcard on the target name. However, if CA allows domain scope, thee will be N+1 more, where N is the maximum allowed strip (might be 0, might be more). In another mail, I proposed: - If CA allows domain scope, it sends maximum allowed strip in the challenge. Otherwise only host/wildcard scope is allowed. - If client selects domain scope, it sends strip used in the POST to the challenge URL. Otherwise host/wildcard scope is selected. -Ilari _______________________________________________ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme
