Order of identifiers and authorizations in new-order is not specified

[csware]

On the new-order reuqest, there are two arrays returned, one for the identifiers and one for the authorizations. However, there is no order specified in ACMEv2. As two arrays are returned (and no hash), this might imply that the order of identifiers matches the order of authorizations.

This is not specified right now. Having this specified would allow clients to know in advance for which identity they are requesting the authorization challenge before requesting the URL, e.g. for better error reporting.

Also ok would be to just explicitly specify that the order is not guaranteed or the number of entries is not guaranteed to match in order to make it more clear to developers.

cf. https://community.letsencrypt.org/t/dns-based-validation-fails-on-renew/59027?u=mrtux

[jsha]

From the outcome of the linked conversation, we should just specify that no specific order is guaranteed.

[cpu]

we should just specify that no specific order is guaranteed.

:+1: - https://github.com/ietf-wg-acme/acme/pull/421

I will start a mailing list thread since this is a new SHOULD NOT.