On Mon, Feb 20, 2017 at 5:38 PM, Russ Housley <hous...@vigilsec.com> wrote:
> > > On Feb 19, 2017, at 12:27 PM, Josh Soref <jso...@gmail.com> wrote: > > > >> A client should attempt to fulfill at most one of these challenges, > > > > fulfill is an odd word. And "attempt" is an odd word in concert. I'm > > pretty sure you're trying to say to a client "once you've fulfilled a > > challenge, you do not need to fulfill any additional challenges", not > > "you should only try one challenge, and if you fail, you should not > > try to complete any of the others". > > > > The "at most one" text is odd... I suppose a client could attempt to > > fulfill zero challenges, but that seems pointless. > > > >> and a server should consider any one of the challenges sufficient to > make the authorization valid. > > > > I think something like: > > > > A server SHOULD treat the challenges portion satisfied when a client > > fulfills one challenge. > > > > That should be sufficient to tell client implementations that they > > need to complete one, and that they don't need to complete more than > > one. Without telling them that if they try one and fail, they > > shouldn't try a different one. > > > > FWIW, as a user, I run into this portion of the spec often. Typically > > my client tries https or http. But a friendly client would be willing > > to try both, stopping if the first one it tries completes, but > > continuing to the second if the first fails. > > +1. This is a significant improvement over the current text. > SGTM. Send a PR? > > Russ > _______________________________________________ > Acme mailing list > Acme@ietf.org > https://www.ietf.org/mailman/listinfo/acme >
_______________________________________________ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme