diff --git a/draft-ietf-acme-onion.xml b/draft-ietf-acme-onion.xml
index 0f0639b..c006fba 100644
--- a/draft-ietf-acme-onion.xml
+++ b/draft-ietf-acme-onion.xml
@@ -8,7 +8,8 @@
 ]>
 
 <rfc xmlns:xi="http://www.w3.org/2001/XInclude"
-     ipr="trust200902" submissionType="IETF" category="std" version="3" docName="draft-ietf-acme-onion-latest">
+     ipr="trust200902" submissionType="IETF" category="std" version="3" docName="draft-ietf-acme-onion-latest"
+     consensus="true">
   <front>
     <title abbrev="ACME for .onion">Automated Certificate Management Environment (ACME) Extensions for ".onion"
       Special-Use Domain Names</title>
@@ -22,7 +23,7 @@
           <code>CF23 9EU</code>
           <country>United Kingdom</country>
         </postal>
-        <email>q@as207970.net</email>
+        <email>q@as207960.net</email>
         <email>q@magicalcodewit.ch</email>
         <uri>https://magicalcodewit.ch</uri>
       </address>
@@ -65,8 +66,8 @@
         <t>The key words <bcp14>MUST</bcp14>, <bcp14>MUST NOT</bcp14>, <bcp14>REQUIRED</bcp14>, <bcp14>SHALL</bcp14>,
           <bcp14>SHALL NOT</bcp14>, <bcp14>SHOULD</bcp14>, <bcp14>SHOULD NOT</bcp14>, <bcp14>RECOMMENDED</bcp14>,
           <bcp14>NOT RECOMMENDED</bcp14>, <bcp14>MAY</bcp14>, and <bcp14>OPTIONAL</bcp14> in this document are to be
-          interpreted as described in <xref target="BCP14"/> when, and only when, they appear in all capitals,
-          as shown here.</t>
+          interpreted as described in <xref target="BCP14"/> (<xref target="RFC2119"/>, <xref target="RFC8174"/>) when,
+          and only when, they appear in all capitals, as shown here.</t>
       </section>
     </section>
 
@@ -113,7 +114,9 @@
             ".onion" Special-Use Domain Names, with the modifications defined in this standard, namely
             <xref target="client-auth"/>, and <xref target="caa"/>.</t>
           <t>The ACME server <bcp14>SHOULD</bcp14> follow redirects; note that these <bcp14>MAY</bcp14> be redirects to
-            non ".onion" services, and the server <bcp14>SHOULD</bcp14> honour these.</t>
+            non ".onion" services, and the server <bcp14>SHOULD</bcp14> honour these. See
+            <xref target="RFC8555" section="10.2"/> for security considerations on why a server might not want to
+            follow redirects.</t>
         </section>
         <section>
           <name>Existing "tls-alpn-01" Challenge</name>
@@ -136,8 +139,9 @@
           <dd>The string <tt>onion-csr-01</tt></dd>
           <dt>nonce (required, string)</dt>
           <dd>A Base64 <xref target="RFC4648"/> encoded nonce, including padding characters.
-            It <bcp14>MUST</bcp14> contain at least 64 bits of entropy. A response generating using this nonce
-            <bcp14>MUST NOT</bcp14> be accepted by the ACME server if the nonce was generated more than 30 days ago.</dd>
+            It <bcp14>MUST</bcp14> contain at least 64 bits of entropy. A response generated  using this nonce
+            <bcp14>MUST NOT</bcp14> be accepted by the ACME server if the nonce used was generated by the server more
+            than 30 days ago.</dd>
           <dt>authKey (optional, object)</dt>
           <dd>The Ed25519 public key encoded as per <xref target="RFC8037"/>.</dd>
         </dl>
@@ -187,7 +191,7 @@ applicantSigningNonce ATTRIBUTE ::= {
           The public key presented in this CSR <bcp14>MUST</bcp14> be the public key corresponding to the ".onion"
           Special-Use Domain Name being validated. It <bcp14>MUST NOT</bcp14> be the same public key presented in the
           CSR to finalize the order.</t>
-        <t>Client respond with the following object to validate the challenge:</t>
+        <t>Clients respond with the following object to validate the challenge:</t>
         <dl>
           <dt>csr (required, string)</dt>
           <dd>
@@ -296,7 +300,7 @@ introduction-point AwAGsAk5nSMpAhRqhMHbTFCTSlfhP8f5PqUhe6DatgMgk7kSL3
           there is in the DNS there is no need, nor indeed any method available, to search up the DNS tree for a
           relevant CAA record set. Similarly, it is also impossible to check CAA records on the "onion" Special-Use TLD,
           as it does not exist in any form except as described in <xref target="RFC7686"/>, so implementors
-          <bcp14>MUST</bcp14> not look here either.</t>
+          <bcp14>MUST NOT</bcp14> look here either.</t>
         <t>Instead all subdomains under a ".onion" Special-Use Domain Name share the same CAA record set. That is,
           all of these share a CAA record set with "a.onion":</t>
         <ul>
diff --git a/lib b/lib
index c35bd65..329c20b 160000
--- a/lib
+++ b/lib
@@ -1 +1 @@
-Subproject commit c35bd65c0239cc39a8376bb2bc6a160a4a85f367
+Subproject commit 329c20bc039eb3278df377bdd545e6466fae3fc7