IETF Logo Mail Archive

Re: [Acme] [Errata Held for Document Update] RFC8555 (6843)

Rob Sayre <sayrer@gmail.com> Mon, 15 January 2024 12:59 UTC

Return-Path: <sayrer@gmail.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 48269C14F5FC for <acme@ietfa.amsl.com>; Mon, 15 Jan 2024 04:59:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.105
X-Spam-Level:
X-Spam-Status: No, score=-7.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DQy6Um2fGe6I for <acme@ietfa.amsl.com>; Mon, 15 Jan 2024 04:59:10 -0800 (PST)
Received: from mail-ed1-x52a.google.com (mail-ed1-x52a.google.com [IPv6:2a00:1450:4864:20::52a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6F752C14F5ED for <acme@ietf.org>; Mon, 15 Jan 2024 04:59:10 -0800 (PST)
Received: by mail-ed1-x52a.google.com with SMTP id 4fb4d7f45d1cf-5592d2bc270so1194046a12.1 for <acme@ietf.org>; Mon, 15 Jan 2024 04:59:10 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1705323549; x=1705928349; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=54C+MCY7mTXnG9XIYgYChqJ1LFmpN8/0AiumoA+3X6c=; b=W/iQikPuPrjxpPusCly9dLknQQprOa/2H1IEAesKyz5X5jLPnUBZVEw4uwizw19tUI hM5h1csDbojLvYghy1CzlzRzpK+8OhHpDt6Bu9t+ILLdjwajXieNO0k8SVuVrDpHypfI DKjobGG2kBQeOWovbHaGejffLQLG3MeXTJ/aTuooHFi+8+5W2ZtIkQkXVB2bWy0vPC9a /I4Q1IJNwaalmfs6g/Cf42Y19AFGLNoFZTjmUA1rxNleBD8X82n6u4G80s4M+Ymxamy8 exujgZlzY8zpU12lmWJHaR6OgHEIOjWtxMziaIK4o5FyMuPQIAJ7b7unKc6mXuZ/xud7 Dr1w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1705323549; x=1705928349; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=54C+MCY7mTXnG9XIYgYChqJ1LFmpN8/0AiumoA+3X6c=; b=eOEYyh5G5iPS4T3ZUN+0FB1UWKSsSPDr+eN8iyLKLtaMYA3kMeTpd2pkTlX25wkRva v7bBVHfTVwqEjxnmB+KvYV6InV2Wfo/+oj3KBcdCmuEhspbX9LtywSP9WHAxgr5FmqBu 343PeK95I7DC4WoEVrEctwFiKjNoK2DJZsQtlRd6v57Zyig0jApMoK23l1pAekwtvhV9 bFe6yWb2+fN5T9AGNtIjCaFjx47YQEluNW4b42/v91TBzuMU62wosagny7/ehkfe4fOc l6Yup0hciVSmlTQXmBub4k5VxHSUPSeIAs/bqxZxGKC1mcIj9OrAo4b5+wyHaGLtEXIy Xn8Q==
X-Gm-Message-State: AOJu0YzEr3Iwnxrj5FIepMQPyalOoIHFE7/TGsXuB63JpFRZ1e/Vozo/ ix9I199h8HNGOngcU4YXjlZ1Lkm3IivAsBksquCZX81A
X-Google-Smtp-Source: AGHT+IG0YXcBBbui5EYX7N1Of4GqPqst27QBkvtApNXfH0vVtkmNrczJ9yQj1anP2S6upJWiJgp+ayN0M9yiBEDZGhE=
X-Received: by 2002:a05:6402:2281:b0:559:42b6:6557 with SMTP id cw1-20020a056402228100b0055942b66557mr773308edb.5.1705323548375; Mon, 15 Jan 2024 04:59:08 -0800 (PST)
MIME-Version: 1.0
References: <CAChr6SypX6PN_00OQUzRbtyXeQYsuVeZeRjg9Xosk8uRTkzr2Q@mail.gmail.com> <CAEmnErfE=-HMKkf4MHUfYCLam0baWA+QnAA7tg_tREtPFvRhdQ@mail.gmail.com> <CAChr6SzGo-4RZ0TwfqcJhy4FzL53LmsWHpe9EmN5eN_GDhdLzw@mail.gmail.com> <CAOG=JU+YFE826M7aW_KJRXNw639QjvVgH4WryPJ++Xq+BGS+Uw@mail.gmail.com> <CAChr6Syg80PWYDBDA872gyUkPoVKWvr2zsRmOUs16mGawQPa6g@mail.gmail.com> <CAGgd1Oc2=yXQvw+0sLZ+q5FKeg8N7_jxC-MdjaV9pjsmCNaEow@mail.gmail.com> <CAChr6SwAYSn4eEVvnce7XR18G8KPixFG_BbHRKzSKMrkEv4Nig@mail.gmail.com> <CAEmnErdY9umopZBBy4i6-2WcZotkopKquDPTRfaTCnURL49t=w@mail.gmail.com> <CAChr6Swap48ZkNRxxkdqQ_2YSgDzg4CG-dJGdJUiA05GYzBOMw@mail.gmail.com> <CAGgd1Oc7Mb9FKZWxFFB3bYwR+b7g09u6bcGk6oVDQgPm6Fqg+A@mail.gmail.com> <CAChr6SzKxz+-E45YmGsQZVz9Vy377quBKMNXiAwfEKDJWgxgFA@mail.gmail.com> <CAGgd1OfBLBN4e1A-G+y9L0BQNg_=bE2ukN16SzRdioUK5N28JA@mail.gmail.com>
In-Reply-To: <CAGgd1OfBLBN4e1A-G+y9L0BQNg_=bE2ukN16SzRdioUK5N28JA@mail.gmail.com>
From: Rob Sayre <sayrer@gmail.com>
Date: Mon, 15 Jan 2024 04:58:57 -0800
Message-ID: <CAChr6Sw6hGebwNmNy5OGVjsA=i6pd0QL8POYMVnKTOrPE7sU3g@mail.gmail.com>
To: Deb Cooley <debcooley1@gmail.com>
Cc: IETF ACME <acme@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000054034a060efb94b8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/2ESYEB1laI5t4562XoVc995ekjE>
Subject: Re: [Acme] [Errata Held for Document Update] RFC8555 (6843)
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Jan 2024 12:59:14 -0000

Ah,

I think there is misunderstanding here. It's normal to discuss an erratum
in many WGs with no procedural aim. I certainly am not trying to get
something pushed through in this case. I do think it is a bug, but very
much agree that it will require a consensus process.

I also think this traffic probably already happens over HTTPS sometimes, so
perhaps the ship has sailed.

thanks,
Rob

On Mon, Jan 15, 2024 at 4:47 AM Deb Cooley <debcooley1@gmail.com> wrote:

> Again 'hold for update' is the only logical choice.  We aren't fixing
> vague language with an errata.  When this RFC comes up for update, I hope
> you will participate.
>
> Deb
>
> On Mon, Jan 15, 2024 at 7:41 AM Rob Sayre <sayrer@gmail.com> wrote:
>
>> On Mon, Jan 15, 2024 at 3:42 AM Deb Cooley <debcooley1@gmail.com> wrote:
>>
>>>   Items being brought up for discussion need to have specific and
>>> concrete examples within scope.
>>>
>>
>> I think the issue is that the spec is not specific or concrete:
>>
>> "Because many web servers
>> allocate a default HTTPS virtual host to a particular low-privilege
>> tenant user in a subtle and non-intuitive manner, the challenge must
>> be completed over HTTP, not HTTPS."
>>
>> That sentence is very vague, and also seems to preclude HSTS as specified
>> in RFC 6797.*
>>
>> I can understand that HTTP (rather than HTTPS) might need to be used
>> sometimes, but requiring it seems to conflict with HSTS, and enable the
>> exact attack HSTS aims to address. The erratum suggests a redirect, but
>> HSTS also aims to avoid that. At first, I thought there might be a
>> bootstrapping problem. But, if that were the case, the redirect in the
>> erratum wouldn't work either.
>>
>> thanks,
>> Rob
>>
>> * https://datatracker.ietf.org/doc/html/rfc6797
>>
>

v2.23.0 | Report a Bug | By Email