IETF Logo Mail Archive

[Acme] Re: [Technical Errata Reported] RFC8555 (8381)

Erik Nygren <erik+ietf@nygren.org> Wed, 16 April 2025 18:43 UTC

Return-Path: <nygren@gmail.com>
X-Original-To: acme@mail2.ietf.org
Delivered-To: acme@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 904B81D37CF2 for <acme@mail2.ietf.org>; Wed, 16 Apr 2025 11:43:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.893
X-Spam-Level:
X-Spam-Status: No, score=-1.893 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.001, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LJ72WbEKdIHD for <acme@mail2.ietf.org>; Wed, 16 Apr 2025 11:43:11 -0700 (PDT)
Received: from mail-lj1-f172.google.com (mail-lj1-f172.google.com [209.85.208.172]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id D665A1D37CDF for <acme@ietf.org>; Wed, 16 Apr 2025 11:43:11 -0700 (PDT)
Received: by mail-lj1-f172.google.com with SMTP id 38308e7fff4ca-30bfed67e08so72048101fa.2 for <acme@ietf.org>; Wed, 16 Apr 2025 11:43:11 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1744828990; x=1745433790; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=6563aTSJO/kNrLLn4RNyHZkyem6aYZufAVrgOuBSVDU=; b=T9CYZSf1AoNAOP0/WA4bzsPZFBM7JGKOmvj14hVhkQhzux8hPNYG++3vQUnSYb7vf1 ML3sxi8098zf/X386Up9ChTc47B46hGissDZ92hhevNxQH8m9eL9FEMUFOKbq1JEU7M1 MBL2P2ITq+OOlxsMyOhQpI34wZtTPFZfjjaV83eZEHVIyS9B/pkLSqSOv2NWFXHKNIC6 atUINGkdKLzhBF62OBDfhBWvxQMUIRu4Al/M04zYHhrFti7aN6Z5CyjXMXZ8oHMeMjdC OETV8+FH2Kq21/iWzrBqjJA9W3c/OwHvJov+O5FlwuSgsRX1sFoBarCJpvwRTSfqaMQ7 HvtQ==
X-Forwarded-Encrypted: i=1; AJvYcCUifDWCMoEX0bEaLbip5YyFs/05Utgnj0HrlTWI0EREPM08i8O18CT9RJk1FwJviV9H3gbR@ietf.org
X-Gm-Message-State: AOJu0YzYNWaOyGM/KZrvZDlBJLgYVIUnnE9o1bKW81PL1ZkK4c1YLQfk PojrHPhPgMfy/4ZwdQIpO1sb36HE3m4sN+dRgGSV0ee7mPCKrRuesjFggsDsKGIAoy2D7l7Ypl5 Tqjw7qrRLWjggOKrYjE+DXz1mYg4=
X-Gm-Gg: ASbGncuQQ6t0ri9nGEmSZ6HxSvbYSs6b3Ein6xqWbADYzrQPB9XnyyTS9cVSMz0ADzl XaVQibEn5leEoLdblLHmTN0ZVUMQqpr4tVP+HP5XHS0Si8ajMDv3v7+w2ctcpoPgbrt4W5FpAww TxoE/Og6yifzUINJLSpLwyx4UYBEb7cyLXbCgxxzosTWCgrmvphYDCjzE=
X-Google-Smtp-Source: AGHT+IGF3RL2uLh5xg9a/+psn7MlJhm4KXibaQE+MP4ed4EcfCSi1cKorsZO7HHx1PgtfGXtNKKi3xF8gufUTtiGmbE=
X-Received: by 2002:a05:651c:88c:b0:300:5c57:526b with SMTP id 38308e7fff4ca-3107f6bda7cmr12990841fa.11.1744828990176; Wed, 16 Apr 2025 11:43:10 -0700 (PDT)
MIME-Version: 1.0
References: <20250415224926.759AB22A2CB@rfcpa.rfc-editor.org> <CAL02cgT+H1ouY6o9dYhDaFAe9GA7rfO9izXMV3BOhOX5CCgdJA@mail.gmail.com>
In-Reply-To: <CAL02cgT+H1ouY6o9dYhDaFAe9GA7rfO9izXMV3BOhOX5CCgdJA@mail.gmail.com>
From: Erik Nygren <erik+ietf@nygren.org>
X-Gm-Features: ATxdqUGEJRnCTXuS4iS9AdYtpUqXA8Ps9O5DSNPfIJ6jMyy9FvqGveHg4oEtGXA
Message-ID: <CAKC-DJgfjzUzLoLxmcM9UzyPfa_tQMOOdKxPqbzS1mn9UxNMNw@mail.gmail.com>
To: Richard Barnes <rlb@ipv.sx>
Content-Type: multipart/alternative; boundary="000000000000274c220632e9a8bb"
X-MailFrom: nygren@gmail.com
X-Mailman-Rule-Hits: max-recipients
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-acme.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-size; news-moderation; no-subject; digests; suspicious-header
Message-ID-Hash: U6WPXKYQNMOFDTGQHIFZJD5OKH7HGHGT
X-Message-ID-Hash: U6WPXKYQNMOFDTGQHIFZJD5OKH7HGHGT
X-Mailman-Approved-At: Thu, 17 Apr 2025 05:04:01 -0700
CC: RFC Errata System <rfc-editor@rfc-editor.org>, jsha@eff.org, cpu@letsencrypt.org, jdkasten@umich.edu, debcooley1@gmail.com, paul.wouters@aiven.io, ynir.ietf@gmail.com, tomofumi.okubo@gmail.com, acme@ietf.org, "Kaduk, Ben" <bkaduk@akamai.com>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [Acme] Re: [Technical Errata Reported] RFC8555 (8381)
List-Id: Automated Certificate Management Environment <acme.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/G7FfpPn58wxYnXrkRHGZyNLzSSk>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Owner: <mailto:acme-owner@ietf.org>
List-Post: <mailto:acme@ietf.org>
List-Subscribe: <mailto:acme-join@ietf.org>
List-Unsubscribe: <mailto:acme-leave@ietf.org>
Date: Wed, 16 Apr 2025 18:43:12 -0000
X-Original-Date: Wed, 16 Apr 2025 14:42:57 -0400

Revised proposed text from Ben Kaduk:

"The HTTP client MUST ignore the presence and content of any HTTPS DNS RRs
[RFC 9460] for the domain name being verified.  This includes, but is not
limited to, a requirement that the HTTP client MUST NOT apply the strict
transport security behavior specified in Section 9.5 of [RFC9460]."

On Wed, Apr 16, 2025 at 10:41 AM Richard Barnes <rlb@ipv.sx> wrote:

> I would mark this as Verified, though I suggested a couple of friendly
> amendments on the mailing list:
>
> https://mailarchive.ietf.org/arch/msg/acme/zSDRngwBWTgsCfNPcAp6tGO1Ba4/
>
> On Tue, Apr 15, 2025 at 6:49 PM RFC Errata System <
> rfc-editor@rfc-editor.org> wrote:
>
>> The following errata report has been submitted for RFC8555,
>> "Automatic Certificate Management Environment (ACME)".
>>
>> --------------------------------------
>> You may review the report below and at:
>> https://www.rfc-editor.org/errata/eid8381
>>
>> --------------------------------------
>> Type: Technical
>> Reported by: Erik Nygren <erik+ietf@nygren.org>
>>
>> Section: 8.3
>>
>> Original Text
>> -------------
>>    3.  Dereference the URL using an HTTP GET request.  This request MUST
>>        be sent to TCP port 80 on the HTTP server.
>>
>> Corrected Text
>> --------------
>>    3.  Dereference the URL using an HTTP GET request.  This request MUST
>>        be sent to TCP port 80 on the HTTP server.  (The HTTP client must
>>        not resolve and/or must ignore any HTTPS DNS RRs [RFC 9460].)
>>
>> Notes
>> -----
>> Doing a DNS lookup of an HTTPS DNS RR [RFC 9460] might force the client
>> to switch from HTTP to HTTPS scheme which would break HTTP-01 lookups.  The
>> RFC8555 text is clear that "request MUST be sent to TCP port 80 on the HTTP
>> server" which would be violated if the validating client did an HTTPS RR
>> lookup in the DNS and followed the instructions in RFC 9460 section 9.5.
>>
>> Instructions:
>> -------------
>> This erratum is currently posted as "Reported". (If it is spam, it
>> will be removed shortly by the RFC Production Center.) Please
>> use "Reply All" to discuss whether it should be verified or
>> rejected. When a decision is reached, the verifying party
>> will log in to change the status and edit the report, if necessary.
>>
>> --------------------------------------
>> RFC8555 (draft-ietf-acme-acme-18)
>> --------------------------------------
>> Title               : Automatic Certificate Management Environment (ACME)
>> Publication Date    : March 2019
>> Author(s)           : R. Barnes, J. Hoffman-Andrews, D. McCarney, J.
>> Kasten
>> Category            : PROPOSED STANDARD
>> Source              : Automated Certificate Management Environment
>> Stream              : IETF
>> Verifying Party     : IESG
>>
>

v2.30.2 | Report a Bug | By Email | System Status