👋 Hi there,

Of the two new identifier types (permanent-identifier, and hardware-module), only permanent-identifier describes how it should appear in a CSR, saying in §3:

The identity along with the assigning organization can be included in the Subject Alternate Name Extension using the PermanentIdentifier form described in [RFC4043].

In contrast, §4 about hardware-module only says:

If the server includes HardwareModule in the subjectAltName extension the CA MUST verify that the certificate key was generated on the secure cryptoprocessor with the asserted identity and type

Is there a specific choice of GeneralName the CA should expect to find for a hardware-module subjectAltName? Is it an otherName w/ a specific OID like PermanentIdentifier?

RFC 8555 §7.4 says:

The CSR MUST indicate the exact same set of requested identifiers as the initial newOrder request. Identifiers of type "dns" MUST appear either in the commonName portion of the requested subject name or in an extensionRequest attribute [RFC2985] requesting a subjectAltName extension, or both. (These identifiers may appear in any sort order.) Specifications that define new identifier types must specify where in the certificate signing request these identifiers can appear.

For an ACME server to meet that requirement I think the specification of the hardware-module identifier needs to provide more detail. WDYT?