Re: [Acme] Returning multiple errors

Mon, 20 Nov 2017 15:22:21 -0800 

I've submitted a PR adding this to the spec:

https://github.com/ietf-wg-acme/acme/pull/354

commit a6cc0aedf96067e8b3aaf37662785fcf8b38dd18
Author: Jacob Hoffman-Andrews <git...@hoffman-andrews.com>
Date:   Mon Nov 20 15:14:29 2017 -0800

    Define sub-problems.

diff --git a/draft-ietf-acme-acme.md b/draft-ietf-acme-acme.md
index a2c11ab..a9e3535 100644
--- a/draft-ietf-acme-acme.md
+++ b/draft-ietf-acme-acme.md
@@ -521,6 +521,53 @@ set to a URI other than those defined above.
Servers MUST NOT use the ACME URN
 namespace for errors other than the standard types.  Clients SHOULD
display the
 "detail" field of all errors.

+### Sub-problems
+
+Sometimes a CA may need to return multiple errors to a single
+request. Additionally, the CA may need to attribute errors to specific
+identifiers.  For instance, a new-order request may contain multiple
+identifiers for which the CA cannot issue. In this situation, an ACME
+problem document MAY contain the "sub-problems" field, contains a JSON
+array of problem documents, each of which MAY contain an "identifier"
+field. If present, the "identifier" field MUST contain an ACME identifier
+({{iana-identifier}}). The "identifier" field MUST NOT be present at
+the top level in ACME problem documents. It can only be present in
sub-problems.
+Sub-problems need not all have the same type, and do not need to match
the top level type.
+
+ACME clients may choose to use the "identifier" field as a hint that
+an operation would succeed if certain identifiers were omitted. For
+instance, if an order contains ten DNS identifiers, and the new-order
+request returns a problem document with two sub-problems, referencing two
+of those identifiers, the ACME client may choose to submit another order
+containing only the eight identifiers not listed in the problem document.
+
+~~~~~
+HTTP/1.1 403 Forbidden
+Content-Type: application/problem+json
+
+{
+    "type": "urn:ietf:params:acme:error:malformed",
+    "detail": "Some of the identifiers requested were rejected",
+    "sub-problems": [
+        {
+            "type": "urn:ietf:params:acme:error:malformed",
+            "value": "Invalid underscore in DNS name \"_example.com\"",
+            "identifier": {
+                "type": "dns",
+                "value": "_example.com"
+            }
+        },
+        {
+            "type": "urn:ietf:params:acme:error:rejectedIdentifier",
+            "value": "This CA will not issue for \"example.net\"",
+            "identifier": {
+                "type": "dns",
+                "value": "example.net"
+            }
+        }
+    ]
+}
+~~~~~

 # Certificate Management

_______________________________________________
Acme mailing list
Acme@ietf.org
https://www.ietf.org/mailman/listinfo/acme

Reply via email to