On Sat, Apr 11, 2026 at 01:25:54PM +0800, 吴攀雨 wrote: > > If the ACME client is supposed to compute the PoP, why not return it > > directly? Much simpler for client and ACME server. > > E.g. .onion validation can use direct return. > > This is consistent with our current design. The client generates the PoP by > signing a message including a nonce with the asserted private key, and > sends the resulting proof to the AS. > We suspect the comment may be due to a wording ambiguity in the draft > rather than a behavioral difference. We will clarify the text accordingly.
I do not see any way in -05 for the ACME client to directly trasmit the pk-01 PoP to ACME server. All I see is indirect ways (via DNS, HTTP, E-Mail or TLS-ALPN): "Write proof to the _acme-challenge.<domain> DNS TXT record for the domain:" "Deploy proof to the following HTTP path (using token as part of the path):" "Send the proof as the body of a reply to the server's specified address in an S/MIME email." "Configure a TLS listener on port 443 of the domain. When an AS initiates a connection using the ALPN protocol identifier “acme-pk/1”, return proof as the handshake response data." What would be direct is sending the PoP in POST request to the challenge url. This would also avoid assocating keys with domains, it is not clear what that acutually means. -Ilari _______________________________________________ Acme mailing list -- [email protected] To unsubscribe send an email to [email protected]
