[Pki-devel] [acme] getOrderByAuthorization() / orders and authorisations
Fraser Tweedale
ftweedal at redhat.com
Wed Dec 4 09:15:15 UTC 2019
Just want to flag something related to ACME orders and
authorisations.
In ACME authorizations can be shared by multiple orders. In fact
you can also "preauthorize" your account for an identifier, so there
can also be a authorizations with no orders attached.
Does the way we have implemented the ACME service ensure that an
authorization has only one order (or at most one order)? If so, do
we want it that way? It entails that every identifier must be
re-authorised upon every order.
Personally I think this is not the way we want to go. Let me
describe a scenario.
Client orders a cert for a.example.com, completes the authorisation
for a.example.com, and gets the cert.
Shortly afterwards, they realise they also need b.example.com on the
certificate. So they make a new order with BOTH identifiers.
Should the client have to complete another authorisation for
a.example.com, while their existing authorisation remains "fresh"
(unexpired)? It is valid to require the client to re-authorise
every identifier for every order. But it is not optimal. Ideally
we should observe that for the account there is already a
non-expired authorisation for "a.example.com", and attach that to
the order (along with the new authorisation for "b.example.com"
which the client must complete).
Anyhow just some ideas as I proceed with implementation of the LDAP
database implement. Let me know your thoughts.
Cheers,
Fraser
More information about the Pki-devel
mailing list