On 27/03/18 22:54, Daniel McCarney wrote: > Are you also > proposing that authorizations should be retrieved only by authenticated > POST?
The information contained in an order will be (more or less) part of the certificate. Therefore, it seems plausible that this information is not "that" private. By the way, I did propose that *all* generated GET URLs shouldn't be guessable. > That assumes an account order's list URL is predictable or can be learned > without POSTing the account details, no? Yes. And right now, I don't see why this is different from account URLs, which have "MUST NOT respond to GET requests". Note, that the example contains the orders URL "https://example.com/acme/acct/1/orders". This sound pretty guessable to be. > Let's Encrypt's ACME server > doesn't implement the "orders" field of an account object at all, I don't > think its a good example to reference for this argument. "orders" is a required key and LE committed to never implementing it? Doesn't that sounds like an argument for removing this feature from this spec? Best, Sophie _______________________________________________ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme