> Section 4: > The client MUST NOT request a profile name that is not > advertised in the server's Directory metadata object. > ... > If the server receives a newOrder request specifying a profile that > it is not advertising
I would like to see these sentences removed or altered from MUST NOT to SHOULD NOT. My concern is that it makes CAs that provide profiles based on an account (be it an ACME account or external CA account) non-compliant with this specification. Without this language, an ACME server could accept personalized profiles in an order that was not present in the directory profiles. It is not practical for the ACME service I work on to publish all profiles in the directory, and even if it was not all profiles would be available to all accounts. It also introduces a security issue because directory requests are not authenticated. For services like ours that provide per-account ACME endpoints, we serve a directory response for any request that could be a valid directory URL. This is to prevent enumeration attacks, so if we were to include per-account profile information in the directory we would be adding a vector for enumeration. Has there been any discussion about adding a POST-as-GET style "profiles" endpoint? Cheers, -Ben On Wed, Aug 6, 2025 at 4:00 PM IETF Secretariat <[email protected]> wrote: > > > The ACME WG has placed draft-aaron-acme-profiles in state > Call For Adoption By WG Issued (entered by Mike Ounsworth) > > The document is available at > https://datatracker.ietf.org/doc/draft-aaron-acme-profiles/ > > Comment: > CfA started 2025-08-06, runs until 2025-08-20. > > _______________________________________________ > Acme mailing list -- [email protected] > To unsubscribe send an email to [email protected] _______________________________________________ Acme mailing list -- [email protected] To unsubscribe send an email to [email protected]
