Hi Fraser,
Thank you for your comments.
On 12/11/2020 08:14, Fraser Tweedale wrote:
Hello!
I have some issues with this proposal.
1. It does not adequately explain how the ACME client receives
token-part2. "Over HTTPS" is vague. Presumably it comes as a field
in the challenge object, e.g.
"challenges": [
{
"type": "email-reply-01",
"url": "https://example.com/acme/chall/prV_B7yEyA4";,
"token-part2": "DGyRejmCefe7v4NfDGDKfA"
}
]
Yes.
This needs to be fully specified in the document.
2. It is not stated whether, in addition to sending the response
email, the client also has to POST to the challenge URL as specified
in RFC 8555 Section 7.5.1 (e.g. to signal that the email has been
sent and the server should prepare to receive and process it).
This might not always be possible when a MUA that doesn't support this
proposal directly is to be used. But I agree that this needs to be
clarified one way or another.
I suggest explicitly requiring the client to POST to the challenge
URL to advise the server to prepare to receive and validate it.
This is what RFC 8555 implies a client should do, and facilitates
different approaches to server implementation.
Yes, based on feedback from other people I realised that this is
underspecified. I will add description of you points #1 and #2 in the
next revision.
3. What is the motivation for supporting both text/plain and
multipart/alternative in the body of the response email? This
complicates server implementations, but I can't think why it would
be needed. Please either explain why both options are needed,
otherwise could it be limited to text/plain?
Basically this needs to work with existing email clients as is and this
is not something that can always (or easily) be controlled by users. A
lot of them will generated multipart/alternative instead of text/plain,
especially if they want to include nicely formatted HTML.
Best Regards,
Alexey
_______________________________________________
Acme mailing list
Acme@ietf.org
https://www.ietf.org/mailman/listinfo/acme
