Re: [Acme] [Errata Held for Document Update] RFC8555 (6843)

Rob Sayre <> Mon, 15 January 2024 12:41 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 57608C14F5FA for <>; Mon, 15 Jan 2024 04:41:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id wt9QVmn_H2Gl for <>; Mon, 15 Jan 2024 04:41:54 -0800 (PST)
Received: from ( [IPv6:2a00:1450:4864:20::633]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by (Postfix) with ESMTPS id C54B5C14F5ED for <>; Mon, 15 Jan 2024 04:41:54 -0800 (PST)
Received: by with SMTP id a640c23a62f3a-a26f73732c5so1001163766b.3 for <>; Mon, 15 Jan 2024 04:41:54 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20230601; t=1705322513; x=1705927313;; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=7uJ/S5kHAh0OKkgTTP5Ig/Ea/xcbYfLPzxnXDOBrrgU=; b=N1pqUjK2COZGHOvnIAiD6W0vE9IPTtXckUG8Ng1m0FT7uSnJsSTke0XSGD4we8jJkK yNxx5s3wdNF1xvF5fBcLfzTIf8ifmukuKBIDTNeJzzMt2vPML48K4arxgFPw37HoKLLt A47MMm1y9BlSy1kulHpjf0At6agMuL8athWiXRhvAkkJzQ/P9lR5GN680+MzhC8nKDGh IZlYkmOhBW4tyyRSofTxgczo2FbOtlPQ/bqgW9T4fgWfXshS24OSvuG57yxlOlIAQd1r 5xHwn2LNn2D90tXr5IrlHffhbEba79CF8uj42nxf7fB7d0j3pY85sy1/coQGj2N18vPe //XA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20230601; t=1705322513; x=1705927313; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=7uJ/S5kHAh0OKkgTTP5Ig/Ea/xcbYfLPzxnXDOBrrgU=; b=dLUYOJCvQJKg2Tw6Jb8MWvINyd7flGOdVlRuVbr/+TThCFWDiHifsm04KNjZWDPF1b fXijacCRZzs7G5wYf+843nbEblZRuk2xOtkii2i9RWw2PngYSZW2RQ7W4TfAxogS43d4 VZYXIEUwDEra7kIeerJi35h9WFeDyJBFDrwMdRdAc2yLFgIVCUiRfSp0ko7jndxCBYwN ZUAM9z6wYtXXcSqn5gr/NXbYPIgfwG7KDORcFMib/lijZrBHg1tJQNSMMpF8IUXY/01G nG8I/x9jYbzI4KgZ97nLIHushqUcHOzvL9dVpcKPVtm0uQoVPosp4+pryHNafl68Y7eA 9BVA==
X-Gm-Message-State: AOJu0Yxg376qS68ugDqIf/UaRbDdyhJexuFHr5VITFceZgRKdoT82oxn /UhJgqopQq5M0xFzXSC7roxZ6vFdZ5lxFHzinwu/qU9Crms=
X-Google-Smtp-Source: AGHT+IEm4kkXwslKMev2itMCwgwrgZKIc26Vvpt9UjWHF767WKO3zhFiAMlo8wbX1x3R12+sBUk22RwXdRCYTMiggTY=
X-Received: by 2002:a17:906:b0c2:b0:a2e:57b:5186 with SMTP id bk2-20020a170906b0c200b00a2e057b5186mr404215ejb.125.1705322512624; Mon, 15 Jan 2024 04:41:52 -0800 (PST)
MIME-Version: 1.0
References: <> <> <> <> <> <> <> <> <> <>
In-Reply-To: <>
From: Rob Sayre <>
Date: Mon, 15 Jan 2024 04:41:41 -0800
Message-ID: <>
To: Deb Cooley <>
Content-Type: multipart/alternative; boundary="00000000000097b244060efb563c"
Archived-At: <>
Subject: Re: [Acme] [Errata Held for Document Update] RFC8555 (6843)
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Automated Certificate Management Environment <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 15 Jan 2024 12:41:55 -0000

On Mon, Jan 15, 2024 at 3:42 AM Deb Cooley <> wrote:

>   Items being brought up for discussion need to have specific and concrete
> examples within scope.

I think the issue is that the spec is not specific or concrete:

"Because many web servers
allocate a default HTTPS virtual host to a particular low-privilege
tenant user in a subtle and non-intuitive manner, the challenge must
be completed over HTTP, not HTTPS."

That sentence is very vague, and also seems to preclude HSTS as specified
in RFC 6797.*

I can understand that HTTP (rather than HTTPS) might need to be used
sometimes, but requiring it seems to conflict with HSTS, and enable the
exact attack HSTS aims to address. The erratum suggests a redirect, but
HSTS also aims to avoid that. At first, I thought there might be a
bootstrapping problem. But, if that were the case, the redirect in the
erratum wouldn't work either.