[Acme] Re: [Technical Errata Reported] RFC8555 (8381)
Deb Cooley <debcooley1@gmail.com> Wed, 16 April 2025 23:35 UTC
Return-Path: <debcooley1@gmail.com>
X-Original-To: acme@mail2.ietf.org
Delivered-To: acme@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 47CAD1D6039A for <acme@mail2.ietf.org>; Wed, 16 Apr 2025 16:35:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.848
X-Spam-Level:
X-Spam-Status: No, score=-1.848 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id an_V9l_iT4UP for <acme@mail2.ietf.org>; Wed, 16 Apr 2025 16:35:36 -0700 (PDT)
Received: from mail-pj1-x102e.google.com (mail-pj1-x102e.google.com [IPv6:2607:f8b0:4864:20::102e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id A29211D60392 for <acme@ietf.org>; Wed, 16 Apr 2025 16:35:36 -0700 (PDT)
Received: by mail-pj1-x102e.google.com with SMTP id 98e67ed59e1d1-3012a0c8496so101534a91.2 for <acme@ietf.org>; Wed, 16 Apr 2025 16:35:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1744846536; x=1745451336; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=pIjY2m4Eyn/4RND6EJnFHHXYYL2pBasadGqH09/T8YA=; b=boIE+hwfMl3uGuTNmldXqNQVBHhliFdnbv9VyOGhe2B+eUufry992gsC7IbLXE8xd7 VBpnb/lPlxmpOqKN5N8u18D08a/IffCn1TDoIXTJ5/rwxikMOD+dZgBGtxVwLxOl4766 zdJrs9dH1zB/Lqzrv0Y1NzhGUmgMv7Anqd7sQTHY1frzUpe/xfZ9Xf89j/V4jAYYY0Zj J7iZS7AroiiCibGKiLFtiEcPEWAcaaaBcV0FUJYCibg5Uql7Z+3OLhhU1wSejkE/oJZ7 J6GaPG4comukwfJ1yYC54gFkRxrCw1MbznP8oRHEj4qKhFMf8ihQhyI+EGUu+VDTtVU1 xTaA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1744846536; x=1745451336; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=pIjY2m4Eyn/4RND6EJnFHHXYYL2pBasadGqH09/T8YA=; b=OCtCsNAY+6+nblIcip43ZNiajCOiC96z7iMiEFln04tF0crK6RT0YJzv76uFGH5HD2 PjFHO2s18RnRTM5xuPGn35LnHkQbqB7mlIOSiatv9rEzKvA4x/mip/BxpBpfu7H6Umsf hvx8fttmKrLxLIWb6hRNDkMAuU6i7wSsL3zaJPb0dedgX5LeUZ9R97VphXhFBBscnH6z kK3U/almDilPXJ93kESnHrw5r8XNGaIlEPG1NmyXO8paQKpIonCzv+RhxjfcQVxlVD1n n7wqud+Sd8VDBptajrdg7RKXwc78JFAfTBsCO9kOsfWl+lRCbkqoD0dmdev2MKK5SbdH SGag==
X-Forwarded-Encrypted: i=1; AJvYcCVd/5Lol762oyTjiKWc5HVPma9FZMphtsZxwqG3OBQExGnl7YVlXC7qEDhY8MAVbQva9CZa@ietf.org
X-Gm-Message-State: AOJu0YwxuUQJIibMNngWJRb6MVBnfYd4+4n3wJ5TeTDeaW8eRSCZtTkZ VmUJMPr1Byx3+uNjGZPi/Zj+QkmWr4K/nf0o3pbvqYiVAq+6LHVheIg5pGX9R1i8OQ2JkneLTgs fEaEeS2tR13R2CBEEHCe2rlce2DjNY88FoQ==
X-Gm-Gg: ASbGnctD6tHiJNpny0fUZYUn4FErMiFlocZBSC2CWXY5P67dDZEhjB94zUoZfp6qlCj i81XhcxPAjI0hsbTlU3ljuoyRYevPbL4A7LJ2CVZXtKMbbW+owt+6BLsHT3I4QtiojnwnN0YBmz 1yuMxVjuwgtCssp59ASU8ZFwnO7RC6Hw1uWdo4PaKAJstRpxOK/yc=
X-Google-Smtp-Source: AGHT+IHexA50nbbLCAHSX2Lrs5SRsCZC8iZTwiO32RxWhxRIYShtSD9/R38MdIDO49rR+AYhcEfCyWbR89pDalJ0Jxs=
X-Received: by 2002:a17:90b:4c51:b0:2fa:15ab:4de7 with SMTP id 98e67ed59e1d1-30863f1c7b3mr6198801a91.12.1744846535263; Wed, 16 Apr 2025 16:35:35 -0700 (PDT)
MIME-Version: 1.0
References: <20250415224926.759AB22A2CB@rfcpa.rfc-editor.org> <CAL02cgT+H1ouY6o9dYhDaFAe9GA7rfO9izXMV3BOhOX5CCgdJA@mail.gmail.com> <CAKC-DJgfjzUzLoLxmcM9UzyPfa_tQMOOdKxPqbzS1mn9UxNMNw@mail.gmail.com>
In-Reply-To: <CAKC-DJgfjzUzLoLxmcM9UzyPfa_tQMOOdKxPqbzS1mn9UxNMNw@mail.gmail.com>
From: Deb Cooley <debcooley1@gmail.com>
Date: Wed, 16 Apr 2025 19:35:22 -0400
X-Gm-Features: ATxdqUGVI3mMD-uqyvWOWxTuhJRgGidQV1O689rPXjtA3nnYBVeu96DkeYN0yj4
Message-ID: <CAGgd1OdiU38LQFHzfcbbGd3BtgSryGaMwobxBDmLZj_725O=aA@mail.gmail.com>
To: Erik Nygren <erik+ietf@nygren.org>, Richard Barnes <rlb@ipv.sx>
Content-Type: multipart/alternative; boundary="000000000000ec19290632edbdef"
Message-ID-Hash: 3KSJ6EZWMFNOHRUK6TFBLZG3FGJZ6YAT
X-Message-ID-Hash: 3KSJ6EZWMFNOHRUK6TFBLZG3FGJZ6YAT
X-MailFrom: debcooley1@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-acme.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: jsha@eff.org, cpu@letsencrypt.org, jdkasten@umich.edu, acme@ietf.org, "Kaduk, Ben" <bkaduk@akamai.com>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [Acme] Re: [Technical Errata Reported] RFC8555 (8381)
List-Id: Automated Certificate Management Environment <acme.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/1gS9XSkXJi1J0mZXI7n3HZpluzc>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Owner: <mailto:acme-owner@ietf.org>
List-Post: <mailto:acme@ietf.org>
List-Subscribe: <mailto:acme-join@ietf.org>
List-Unsubscribe: <mailto:acme-leave@ietf.org>
Trimming the to line so it doesn't get stuck in moderation..... I'm just making sure that I know what needs to be done when I next go in to mark this errata as verified (not today, BTW). I'm replacing the Corrected Text with this text? "Dereference the URL using an HTTP GET request. This request MUST be sent to TCP port 80 on the HTTP server. The HTTP client MUST ignore the presence and content of any HTTPS DNS RRs [RFC 9460] for the domain name being verified. This includes, but is not limited to, a requirement that the HTTP client MUST NOT apply the strict transport security behavior specified in Section 9.5 of [RFC9460]." And then not touching the original text or the notes. If I've gotten this wrong, it might be easier to file another errata and I'll reject the first and verify the second. Deb Your errata servant On Wed, Apr 16, 2025 at 2:43 PM Erik Nygren <erik+ietf@nygren.org> wrote: > Revised proposed text from Ben Kaduk: > > "The HTTP client MUST ignore the presence and content of any HTTPS DNS RRs > [RFC 9460] for the domain name being verified. This includes, but is not > limited to, a requirement that the HTTP client MUST NOT apply the strict > transport security behavior specified in Section 9.5 of [RFC9460]." > > On Wed, Apr 16, 2025 at 10:41 AM Richard Barnes <rlb@ipv.sx> wrote: > >> I would mark this as Verified, though I suggested a couple of friendly >> amendments on the mailing list: >> >> https://mailarchive.ietf.org/arch/msg/acme/zSDRngwBWTgsCfNPcAp6tGO1Ba4/ >> >> On Tue, Apr 15, 2025 at 6:49 PM RFC Errata System < >> rfc-editor@rfc-editor.org> wrote: >> >>> The following errata report has been submitted for RFC8555, >>> "Automatic Certificate Management Environment (ACME)". >>> >>> -------------------------------------- >>> You may review the report below and at: >>> https://www.rfc-editor.org/errata/eid8381 >>> >>> -------------------------------------- >>> Type: Technical >>> Reported by: Erik Nygren <erik+ietf@nygren.org> >>> >>> Section: 8.3 >>> >>> Original Text >>> ------------- >>> 3. Dereference the URL using an HTTP GET request. This request MUST >>> be sent to TCP port 80 on the HTTP server. >>> >>> Corrected Text >>> -------------- >>> 3. Dereference the URL using an HTTP GET request. This request MUST >>> be sent to TCP port 80 on the HTTP server. (The HTTP client must >>> not resolve and/or must ignore any HTTPS DNS RRs [RFC 9460].) >>> >>> Notes >>> ----- >>> Doing a DNS lookup of an HTTPS DNS RR [RFC 9460] might force the client >>> to switch from HTTP to HTTPS scheme which would break HTTP-01 lookups. The >>> RFC8555 text is clear that "request MUST be sent to TCP port 80 on the HTTP >>> server" which would be violated if the validating client did an HTTPS RR >>> lookup in the DNS and followed the instructions in RFC 9460 section 9.5. >>> >>> Instructions: >>> ------------- >>> This erratum is currently posted as "Reported". (If it is spam, it >>> will be removed shortly by the RFC Production Center.) Please >>> use "Reply All" to discuss whether it should be verified or >>> rejected. When a decision is reached, the verifying party >>> will log in to change the status and edit the report, if necessary. >>> >>> -------------------------------------- >>> RFC8555 (draft-ietf-acme-acme-18) >>> -------------------------------------- >>> Title : Automatic Certificate Management Environment (ACME) >>> Publication Date : March 2019 >>> Author(s) : R. Barnes, J. Hoffman-Andrews, D. McCarney, J. >>> Kasten >>> Category : PROPOSED STANDARD >>> Source : Automated Certificate Management Environment >>> Stream : IETF >>> Verifying Party : IESG >>> >>
- [Acme] [Technical Errata Reported] RFC8555 (8381) RFC Errata System
- [Acme] Re: [Technical Errata Reported] RFC8555 (8… Richard Barnes
- [Acme] Re: [Technical Errata Reported] RFC8555 (8… Erik Nygren
- [Acme] Re: [Technical Errata Reported] RFC8555 (8… Deb Cooley
- [Acme] Re: [Technical Errata Reported] RFC8555 (8… Benjamin Kaduk
- [Acme] Re: [Technical Errata Reported] RFC8555 (8… Richard Barnes
- [Acme] Re: [Technical Errata Reported] RFC8555 (8… Martin Thomson
- [Acme] Re: [Technical Errata Reported] RFC8555 (8… Erik Nygren