the delegation field should be per-order rather than per-identifier

yaronf / I-D

Internet Drafts

Other

5 stars 14 forks source link

the delegation field should be per-order rather than per-identifier #171

Closed thomas-fossati closed 3 years ago

thomas-fossati commented 3 years ago

From the IANA Designated Expert review (Richard Barnes)

The "delegation" field is currently attached to the "identifier" object,
which is a bad semantic fit in a few ways. ACME orders can have multiple
identifiers, and delegations can describe multiple SAN values, yet this
design assumes singularity on both sides. This field should be moved
to the order object; in fact, if you wanted to be more radical, you could
even use it to replace the "identifiers" field in the newOrder request.

yaronf commented 3 years ago

Agreed. delegation should move from the identifier array to become a top-level parameter of newOrder as well as a top-level member of the Order object.

We would need to rephrase some text to ensure correspondence between identifiers, specifically this text:

MUST have the delegated name as the identifier value with a delegation attribute indicating the configuration used for the identifier.

Also as a result, we can drop the new IANA registry, ACME Identifier Object Fields.

yaronf commented 3 years ago

cc @bifurcation.