Re: [Acme] [Errata Held for Document Update] RFC8555 (6843)
Aaron Gable <aaron@letsencrypt.org> Mon, 15 January 2024 05:12 UTC
Return-Path: <aaron@letsencrypt.org>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4A526C14F5E2 for <acme@ietfa.amsl.com>; Sun, 14 Jan 2024 21:12:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=letsencrypt.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4fCaLbiO_2wv for <acme@ietfa.amsl.com>; Sun, 14 Jan 2024 21:12:36 -0800 (PST)
Received: from mail-oa1-x36.google.com (mail-oa1-x36.google.com [IPv6:2001:4860:4864:20::36]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A4748C14E515 for <acme@ietf.org>; Sun, 14 Jan 2024 21:12:36 -0800 (PST)
Received: by mail-oa1-x36.google.com with SMTP id 586e51a60fabf-203fbbff863so3705429fac.0 for <acme@ietf.org>; Sun, 14 Jan 2024 21:12:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=letsencrypt.org; s=google; t=1705295555; x=1705900355; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=cUFXkE3LMgVeJE6Fs6JYNu7s4d0bRHvaUk+5lmfiKg8=; b=cDDUKu/H1UdkHycsPlF6xY8HNTXUIT8NTL0dm27a0TFh5e12iiUWgVnXNg67qRrKRn 1mCpUH2e3FwhPzvL3PQusC8K+5yIsEwNugiQOuB6jWZPLq3JpDml/28qehLBU4l8DzPF cYASqi/SWqK38GuAvwZyYrllBNHCZKhwCT43M=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1705295555; x=1705900355; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=cUFXkE3LMgVeJE6Fs6JYNu7s4d0bRHvaUk+5lmfiKg8=; b=nrdAH/NKIMJVKxZ0FDiMCkTVEKZfioqmV3k8O+mhOqfhaInvJh9y/a6Ze0WI0Hwy3S jPy/+H2oMjGq/vvq+ctkt82rQTKtkbSPJ+uJnfzff9k92Ie6s+97joBuyv8axTRYJuUY ktSOBJgeB/sauOs/ppvT3MEI+NB3CE9CbsS7nZhkSQwN4LXmGqcPClUAhYy9WGDnsUPy +DeGfGFjRYZ9UovgjCBuAhRlXVF26o/YcIOAcmAPDHQeaSG6Qm0AS28+x6hdrUiGgicb 1YDzRHSLLZWV/uT8Ed0rqoyrV5jB+oyY95YJO9J0ox4F3VSWriM5To8vS2N098L00UAz y+TQ==
X-Gm-Message-State: AOJu0Yymlud6YqIkgt8WuTXfRJgELGfaqfWRKv8MMI/y8urAhalPSpWR 4qkex7SM2gHbMbvGTaaJQZ6Yd26TKViy0rZRjJ70556bTPubng==
X-Google-Smtp-Source: AGHT+IGmIgm4eSrp6/GgA10ehnIRwOCG9Hqx8B+5lJEFx0l9DLxDfhDFbltJU333XD/pyjvEVpD5CFvH6qxnrQUhfQs=
X-Received: by 2002:a05:6870:c354:b0:204:f564:2522 with SMTP id e20-20020a056870c35400b00204f5642522mr2751668oak.54.1705295555317; Sun, 14 Jan 2024 21:12:35 -0800 (PST)
MIME-Version: 1.0
References: <CAChr6SypX6PN_00OQUzRbtyXeQYsuVeZeRjg9Xosk8uRTkzr2Q@mail.gmail.com> <CAEmnErfE=-HMKkf4MHUfYCLam0baWA+QnAA7tg_tREtPFvRhdQ@mail.gmail.com> <CAChr6SzGo-4RZ0TwfqcJhy4FzL53LmsWHpe9EmN5eN_GDhdLzw@mail.gmail.com> <CAOG=JU+YFE826M7aW_KJRXNw639QjvVgH4WryPJ++Xq+BGS+Uw@mail.gmail.com> <CAChr6Syg80PWYDBDA872gyUkPoVKWvr2zsRmOUs16mGawQPa6g@mail.gmail.com> <CAGgd1Oc2=yXQvw+0sLZ+q5FKeg8N7_jxC-MdjaV9pjsmCNaEow@mail.gmail.com> <CAChr6SwAYSn4eEVvnce7XR18G8KPixFG_BbHRKzSKMrkEv4Nig@mail.gmail.com>
In-Reply-To: <CAChr6SwAYSn4eEVvnce7XR18G8KPixFG_BbHRKzSKMrkEv4Nig@mail.gmail.com>
From: Aaron Gable <aaron@letsencrypt.org>
Date: Sun, 14 Jan 2024 21:12:24 -0800
Message-ID: <CAEmnErdY9umopZBBy4i6-2WcZotkopKquDPTRfaTCnURL49t=w@mail.gmail.com>
To: Rob Sayre <sayrer@gmail.com>
Cc: Deb Cooley <debcooley1@gmail.com>, IETF ACME <acme@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000cfe43d060ef50f57"
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/61QS2TPG6T0pVtsKBvRSXrqvFWE>
Subject: Re: [Acme] [Errata Held for Document Update] RFC8555 (6843)
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Jan 2024 05:12:40 -0000
On Sun, Jan 14, 2024, 10:12 Rob Sayre <sayrer@gmail.com> wrote: > On Sun, Jan 14, 2024 at 3:01 AM Deb Cooley <debcooley1@gmail.com> wrote: > >> I had this marked as 'hold for update' (vs. 'verified'). I can't tell >> from the discussion how you think we should be handling it. >> > > The erratum says "the challenge must be initiated over HTTP, not HTTPS.", > which is a little better than the current draft, in my opinion. > To be clear, the document being discussed is not a draft, it's a full RFC which was finalized five years ago. > But there are TLDs (.app, .dev, .bank, etc) that are not supposed to be > contacted over clear text HTTP at all. There is also the HSTS preload list > for certain domains (this is a big list...). > Many .dev domain successfully get certificates via ACME, including via the HTTP-01 challenge method being discussed here. They can be contacted via port 80 just fine, just not by mainstream browsers. > Others have said this list is just for browsers, but that is not the case. > For example, the default networking stack on Apple operating systems > enforces HSTS policies. > While you're correct that HSTS preload lists (there are multiple) are not just for browsers, they are just for the applications and platforms that maintain them. ACME clients do not generally run on such platforms, they usually run on server operating systems. They are under no obligation to use any HSTS preload list (which are not part of the HSTS spec), if there even was an obvious list for them to use. > So, my point is that the entire sentence might be wrong, and could need > more than a slight adjustment. > > thanks, > Rob > > > _______________________________________________ > Acme mailing list > Acme@ietf.org > https://www.ietf.org/mailman/listinfo/acme >
- Re: [Acme] [Errata Held for Document Update] RFC8… Rob Sayre
- [Acme] [Errata Held for Document Update] RFC8555 … RFC Errata System
- Re: [Acme] [Errata Held for Document Update] RFC8… Rob Sayre
- Re: [Acme] [Errata Held for Document Update] RFC8… Amir Omidi
- Re: [Acme] [Errata Held for Document Update] RFC8… Aaron Gable
- Re: [Acme] [Errata Held for Document Update] RFC8… Rob Sayre
- Re: [Acme] [Errata Held for Document Update] RFC8… Seo Suchan
- Re: [Acme] [Errata Held for Document Update] RFC8… Deb Cooley
- Re: [Acme] [Errata Held for Document Update] RFC8… Seo Suchan
- Re: [Acme] [Errata Held for Document Update] RFC8… Rob Sayre
- Re: [Acme] [Errata Held for Document Update] RFC8… Aaron Gable
- Re: [Acme] [Errata Held for Document Update] RFC8… Rob Sayre
- Re: [Acme] [Errata Held for Document Update] RFC8… Deb Cooley
- Re: [Acme] [Errata Held for Document Update] RFC8… Rob Sayre
- Re: [Acme] [Errata Held for Document Update] RFC8… Seo Suchan
- Re: [Acme] [Errata Held for Document Update] RFC8… Deb Cooley
- Re: [Acme] [Errata Held for Document Update] RFC8… Rob Sayre