IETF Logo Mail Archive

Re: [Acme] [Errata Held for Document Update] RFC8555 (6843)

Aaron Gable <aaron@letsencrypt.org> Fri, 12 January 2024 03:10 UTC

Return-Path: <aaron@letsencrypt.org>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B66A5C14F69D for <acme@ietfa.amsl.com>; Thu, 11 Jan 2024 19:10:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=letsencrypt.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9K8dV8LR_MJw for <acme@ietfa.amsl.com>; Thu, 11 Jan 2024 19:10:38 -0800 (PST)
Received: from mail-oo1-xc2c.google.com (mail-oo1-xc2c.google.com [IPv6:2607:f8b0:4864:20::c2c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B5870C14F6BA for <acme@ietf.org>; Thu, 11 Jan 2024 19:10:28 -0800 (PST)
Received: by mail-oo1-xc2c.google.com with SMTP id 006d021491bc7-594cb19c5d9so2991410eaf.0 for <acme@ietf.org>; Thu, 11 Jan 2024 19:10:28 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=letsencrypt.org; s=google; t=1705029027; x=1705633827; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=bna+LsSdR4jJKwL601PLdWeTEZveDW7JpahbvX4OoYY=; b=Bg6rJjVglMeMls1SEl+/mX9hWYH/pZoxWzfr7tX3/KwnucBe6OQlUCbLvFd0MT+a4R FyldehFH8JzaUY0DJg6GAtw+XMIyu4vyJM0RkpThhEo0gcUusSal/HDuobO0os6TWT5i J9JR3gQ/srRy9FayoTkk93GlKuV/w/2n5XoXE=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1705029027; x=1705633827; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=bna+LsSdR4jJKwL601PLdWeTEZveDW7JpahbvX4OoYY=; b=rnrTlzyLLNX39clqK/eRYP85SgkM4C6PJo2m34dtI6CIiEcFL28Zu9UHqomDqiIlT8 gTXV6fnO7lkDKfde28VHFX28v3Ruc4gw3iFTJs9xX5dw/b9ZQ2EpbYOuyCfh4qZ2bTEm j3+tJHiFyWxle/lcp9ETf+8tdcFJ0VF8+16p9OhrxGDUcOxTO5XFr7z5DVE4diMxecYj KtQBr6vITrpj7BWCeScSJf0gAliZgmx4PUdUVI48AhtJIUiqbj4yocfp93AoTd8w+JFC Pqew99Jpv4oAft1+ChtpNWF0ARtyz1X0hcogKuOt5iiQvcA/0DWYxDG/fIY/MHZeNOyD 0Q+A==
X-Gm-Message-State: AOJu0YyR6izZopYOY8VAdp8yRGZM07EeBlQncCDNfDlhSYcX3sX7f0h7 GxJyUyHTqm+W1QrVEmxy1zQ+ZLlHA4t2AdmXM6sdTasltKiDQw==
X-Google-Smtp-Source: AGHT+IFMU1u4lDfJcLhE+jig1JpMAkTErDM6UmSw+VWL+B/8pi2pwQm0wn5Y2gbiSg3O2AtXE6LPWzOtwHb3AvZAdiQ=
X-Received: by 2002:a05:6870:2254:b0:203:fe6b:b0bf with SMTP id j20-20020a056870225400b00203fe6bb0bfmr850807oaf.22.1705029027577; Thu, 11 Jan 2024 19:10:27 -0800 (PST)
MIME-Version: 1.0
References: <CAChr6SypX6PN_00OQUzRbtyXeQYsuVeZeRjg9Xosk8uRTkzr2Q@mail.gmail.com>
In-Reply-To: <CAChr6SypX6PN_00OQUzRbtyXeQYsuVeZeRjg9Xosk8uRTkzr2Q@mail.gmail.com>
From: Aaron Gable <aaron@letsencrypt.org>
Date: Thu, 11 Jan 2024 19:10:16 -0800
Message-ID: <CAEmnErfE=-HMKkf4MHUfYCLam0baWA+QnAA7tg_tREtPFvRhdQ@mail.gmail.com>
To: Rob Sayre <sayrer@gmail.com>
Cc: acme@ietf.org
Content-Type: multipart/alternative; boundary="000000000000855748060eb701d2"
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/3N16nqu1CrYUCPVn3GVMiqE_ec4>
Subject: Re: [Acme] [Errata Held for Document Update] RFC8555 (6843)
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Jan 2024 03:10:42 -0000

This erratum changed "completed" to "initiated", so the document now
correctly allows redirects from HTTP to HTTPS. If you believe that
challenges should be able to be initiated over HTTPS as well, this erratum
is not the right place for that discussion.

But perhaps more importantly, ACME Servers do not have an HSTS Preload
list. The idea of the preload list is an extension of HSTS implemented by
certain browsers, but other user-agents are under no obligation to respect
a preload list.

Aaron

On Thu, Jan 11, 2024 at 7:03 PM Rob Sayre <sayrer@gmail.com> wrote:

> Hi,
>
> Is this one valid?
>
> https://www.rfc-editor.org/errata/eid6843
>
> > the challenge must be initiated over HTTP, not HTTPS.
>
> What if the host is on a .dev domain? That should be in the HSTS preload
> list.
>
> thanks,
> Rob
>
> _______________________________________________
> Acme mailing list
> Acme@ietf.org
> https://www.ietf.org/mailman/listinfo/acme
>

v2.23.0 | Report a Bug | By Email