IETF Logo Mail Archive

[Acme] Re: [Technical Errata Reported] RFC8555 (8381)

Martin Thomson <mt@lowentropy.net> Tue, 22 April 2025 01:11 UTC

Return-Path: <mt@lowentropy.net>
X-Original-To: acme@mail2.ietf.org
Delivered-To: acme@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 5B9F61F1B441 for <acme@mail2.ietf.org>; Mon, 21 Apr 2025 18:11:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=lowentropy.net header.b="BwwP/9sQ"; dkim=pass (2048-bit key) header.d=messagingengine.com header.b="SjYU+tnh"
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HI0QNjL2etyd for <acme@mail2.ietf.org>; Mon, 21 Apr 2025 18:11:38 -0700 (PDT)
Received: from fout-b5-smtp.messagingengine.com (fout-b5-smtp.messagingengine.com [202.12.124.148]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256)) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id AC6421F1B43C for <acme@ietf.org>; Mon, 21 Apr 2025 18:11:38 -0700 (PDT)
Received: from phl-compute-06.internal (phl-compute-06.phl.internal [10.202.2.46]) by mailfout.stl.internal (Postfix) with ESMTP id 32D4C11400B3; Mon, 21 Apr 2025 21:11:38 -0400 (EDT)
Received: from phl-imap-15 ([10.202.2.104]) by phl-compute-06.internal (MEProxy); Mon, 21 Apr 2025 21:11:38 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lowentropy.net; h=cc:cc:content-transfer-encoding:content-type:content-type :date:date:from:from:in-reply-to:in-reply-to:message-id :mime-version:references:reply-to:subject:subject:to:to; s=fm3; t=1745284298; x=1745370698; bh=ABnp2RCCzNzvf8cihd1r8ylOl2SXuc6m pS0oENuFMvI=; b=BwwP/9sQ6+8DI04BnRPgfB+VP1ZEoQ73alSqKKE3SlR5JanY drzQ8VXr7nEw84k0m8ILY/vu1uT0cFOHRXYZNuvo5AvtXcy7/oHCwgr0UwOSNqbo 7CoUPT7imdcg1WebpS98664Kmr60ocKcaj1/txuB947ng1OTGJTp7XMVDAz9njPM zgM4ynyxF3WOGjTbD7KKHXqXDEtox/+4+W4JLf4bs26721X/C4XP8oe0DqBTGR+B ni2do7rl+I0aJGtlQ7Yv1pnPlmgunPM8fL//fnRHokep02SBKrlWIIplw3z8/gqq FvXxpL4zP4qx/0y4mYwb+RtJ4A/l+6mdM0V/Kg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:content-type:date:date:feedback-id:feedback-id :from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:subject:subject:to:to:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm2; t=1745284298; x= 1745370698; bh=ABnp2RCCzNzvf8cihd1r8ylOl2SXuc6mpS0oENuFMvI=; b=S jYU+tnhF79w7iOwJGDLs34QvL/AVH7cNM/79xUHK3jS8WhN4WK+e+Hoj28gTzE7D OnrlWeEOa3ZP9x109kO0C2NS6TyjKX3Xfd76sw9NWQOXh5ffufZtAo/WQX162Ci2 Te6wq45we1fo2YPc7CCiazHzbWv8CWGYvFzNwqLUDqY/OXlpZ+HyI01LhNUFhY6w ue6nf0Zrah7WconXD8nBOeKcVTJ3BxIrxIzrrO5gmvWGjdEg7EMsmLcNH+PuKslV 8ZueNY3dvt4mTCTYq4PThYwtiiHYP/qfjJAPXJhW0XhXlbOb0cEVD98MEtTdAg+h mAFzVDpl0ikf+R8zfV33A==
X-ME-Sender: <xms:yewGaJj4ziTWSV1_bkM57skE4QbQMhlPKfyCBYldxmV1-Pyg0a9RXg> <xme:yewGaOCEjuNAZusbzkBhstfM0pQN8Yk3XNb-poOZG_4S6buNr9RzYsm64lBIiHDEp Nr2YiyzKnQmIw_kwdM>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeefvddrtddtgddvgedvfeejucetufdoteggodetrf dotffvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdggtfgfnhhsuhgsshgtrhhisggv pdfurfetoffkrfgpnffqhgenuceurghilhhouhhtmecufedttdenucesvcftvggtihhpih gvnhhtshculddquddttddmnecujfgurhepofggfffhvfevkfgjfhfutgfgsehtqhertder tdejnecuhfhrohhmpedfofgrrhhtihhnucfvhhhomhhsohhnfdcuoehmtheslhhofigvnh htrhhophihrdhnvghtqeenucggtffrrghtthgvrhhnpeejlefguedukeeiudefgfehgedu veetveejgffhkeeuvdelfeejudeggefhtefhieenucffohhmrghinhepihgvthhfrdhorh hgpdhrfhgtqdgvughithhorhdrohhrghdpuhhrlhguvghfvghnshgvrdgtohhmnecuvehl uhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomhepmhhtsehlohifvg hnthhrohhphidrnhgvthdpnhgspghrtghpthhtohepkedpmhhouggvpehsmhhtphhouhht pdhrtghpthhtohepsghkrgguuhhksegrkhgrmhgrihdrtghomhdprhgtphhtthhopehjsh hhrgesvghffhdrohhrghdprhgtphhtthhopeguvggstghoohhlvgihudesghhmrghilhdr tghomhdprhgtphhtthhopegrtghmvgesihgvthhfrdhorhhgpdhrtghpthhtoheprhhlsg esihhpvhdrshigpdhrtghpthhtoheptghpuheslhgvthhsvghntghrhihpthdrohhrghdp rhgtphhtthhopegvrhhikhdoihgvthhfsehnhihgrhgvnhdrohhrghdprhgtphhtthhope hjughkrghsthgvnhesuhhmihgthhdrvgguuh
X-ME-Proxy: <xmx:yewGaJEr8KSUBjgygJKXQy7AblOODkmhHefwU0peeOdfqSXtZ4eknA> <xmx:yewGaOQ-9i3YM2w4iq-kILa_1nvRRe3dTZ6g3-jtuM7N6WUR3y3Wsg> <xmx:yewGaGxjzbxdwYMJzVi5DfhYcWzlsPGJHfPNfSdWGz9zFIyXQczeXw> <xmx:yewGaE75PLszpR32B_0qEnNVo7VW084aL3zO_szxEzD8EQ_Qx39exg> <xmx:yuwGaJgKgRhn5P6z7In26UV1I58XEK4Ah-h3ud-9V1K9S2Uowx2y5uWD>
Feedback-ID: ic129442d:Fastmail
Received: by mailuser.phl.internal (Postfix, from userid 501) id 9EB9E780070; Mon, 21 Apr 2025 21:11:37 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
MIME-Version: 1.0
X-ThreadId: T413cd4744c1609c1
Date: Tue, 22 Apr 2025 11:11:17 +1000
From: Martin Thomson <mt@lowentropy.net>
To: Richard Barnes <rlb@ipv.sx>, Benjamin Kaduk <bkaduk@akamai.com>
Message-Id: <a412c499-70b0-453d-b1e6-70649dd3edcb@betaapp.fastmail.com>
In-Reply-To: <CAL02cgSqrFEocCqoewvLepfOAiCzw+mPkv_Ev=u_ds+QipdQSQ@mail.gmail.com>
References: <20250415224926.759AB22A2CB@rfcpa.rfc-editor.org> <CAL02cgT+H1ouY6o9dYhDaFAe9GA7rfO9izXMV3BOhOX5CCgdJA@mail.gmail.com> <CAKC-DJgfjzUzLoLxmcM9UzyPfa_tQMOOdKxPqbzS1mn9UxNMNw@mail.gmail.com> <CAGgd1OdiU38LQFHzfcbbGd3BtgSryGaMwobxBDmLZj_725O=aA@mail.gmail.com> <aAFZDIJRdeFpIOi9@akamai.com> <CAL02cgSqrFEocCqoewvLepfOAiCzw+mPkv_Ev=u_ds+QipdQSQ@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: V64PP5YBPB25T2OBV3DLXSF72BBJZHRB
X-Message-ID-Hash: V64PP5YBPB25T2OBV3DLXSF72BBJZHRB
X-MailFrom: mt@lowentropy.net
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-acme.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Deb Cooley <debcooley1@gmail.com>, Erik Nygren <erik+ietf@nygren.org>, jsha@eff.org, cpu@letsencrypt.org, jdkasten@umich.edu, acme@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [Acme] Re: [Technical Errata Reported] RFC8555 (8381)
List-Id: Automated Certificate Management Environment <acme.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/JoIhxy1kAXJzFpGvjVTngLmlP0Y>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Owner: <mailto:acme-owner@ietf.org>
List-Post: <mailto:acme@ietf.org>
List-Subscribe: <mailto:acme-join@ietf.org>
List-Unsubscribe: <mailto:acme-leave@ietf.org>

I don't think that Verified fits that definition, though "Hold for Document Update" might.

On Fri, Apr 18, 2025, at 11:31, Richard Barnes wrote:
> Just replace "errata" in your mind with "small change we would just 
> make to the document if the RFC publication process weren't so 
> sclerotic", and it makes perfect sense.
>
> --RLB
>
> On Thu, Apr 17, 2025 at 3:40 PM Benjamin Kaduk <bkaduk@akamai.com> wrote:
>> Hi Deb,
>> 
>> That matches my understanding of the proposal.
>> 
>> (I always get a bit nervous about using "Verified" for new text that points to
>> references that didn't exist at the time of the publication of the original
>> RFC, but maybe that's just me.  And I guess draft-ietf-dnsop-svcb-httpssvc was
>> around then, technically speaking.)
>> 
>> -Ben
>> 
>> On Wed, Apr 16, 2025 at 07:35:22PM -0400, Deb Cooley wrote:
>> >    This Message Is From an External Sender
>> >    This message came from outside your organization.
>> >     
>> >    Trimming the to line so it doesn't get stuck in moderation.....
>> >    I'm just making sure that I know what needs to be done when I next go in
>> >    to mark this errata as verified (not today, BTW).
>> >    I'm replacing the Corrected Text with this text?
>> >    "Dereference the URL using an HTTP GET request.  This request MUST be sent
>> >    to TCP port 80 on the HTTP server.  The HTTP client MUST ignore the
>> >    presence and content of any HTTPS DNS RRs [RFC 9460] for the domain name
>> >    being verified.  This includes, but is not limited to, a requirement that
>> >    the HTTP client MUST NOT apply the strict transport security behavior
>> >    specified in Section 9.5 of [RFC9460]."
>> >    And then not touching the original text or the notes. 
>> >    If I've gotten this wrong, it might be easier to file another errata and
>> >    I'll reject the first and verify the second.
>> >    Deb
>> >    Your errata servant
>> >    On Wed, Apr 16, 2025 at 2:43 PM Erik Nygren <[1]erik+ietf@nygren.org <mailto:erik%2Bietf@nygren.org>>
>> >    wrote:
>> > 
>> >      Revised proposed text from Ben Kaduk:
>> >      "The HTTP client MUST ignore the presence and content of any HTTPS DNS
>> >      RRs
>> >      [RFC 9460] for the domain name being verified.  This includes, but is
>> >      not
>> >      limited to, a requirement that the HTTP client MUST NOT apply the strict
>> >      transport security behavior specified in Section 9.5 of [RFC9460]."
>> >      On Wed, Apr 16, 2025 at 10:41 AM Richard Barnes <[2]rlb@ipv.sx> wrote:
>> > 
>> >        I would mark this as Verified, though I suggested a couple of friendly
>> >        amendments on the mailing list:
>> > 
>> >        [3]https://mailarchive.ietf.org/arch/msg/acme/zSDRngwBWTgsCfNPcAp6tGO1Ba4/
>> >        On Tue, Apr 15, 2025 at 6:49 PM RFC Errata System
>> >        <[4]rfc-editor@rfc-editor.org> wrote:
>> > 
>> >          The following errata report has been submitted for RFC8555,
>> >          "Automatic Certificate Management Environment (ACME)".
>> > 
>> >          --------------------------------------
>> >          You may review the report below and at:
>> >          [5]https://www.rfc-editor.org/errata/eid8381
>> > 
>> >          --------------------------------------
>> >          Type: Technical
>> >          Reported by: Erik Nygren <[6]erik+ietf@nygren.org <mailto:erik%2Bietf@nygren.org>>
>> > 
>> >          Section: 8.3
>> > 
>> >          Original Text
>> >          -------------
>> >             3.  Dereference the URL using an HTTP GET request.  This request
>> >          MUST
>> >                 be sent to TCP port 80 on the HTTP server.
>> > 
>> >          Corrected Text
>> >          --------------
>> >             3.  Dereference the URL using an HTTP GET request.  This request
>> >          MUST
>> >                 be sent to TCP port 80 on the HTTP server.  (The HTTP client
>> >          must
>> >                 not resolve and/or must ignore any HTTPS DNS RRs [RFC 9460].)
>> > 
>> >          Notes
>> >          -----
>> >          Doing a DNS lookup of an HTTPS DNS RR [RFC 9460] might force the
>> >          client to switch from HTTP to HTTPS scheme which would break HTTP-01
>> >          lookups.  The RFC8555 text is clear that "request MUST be sent to
>> >          TCP port 80 on the HTTP server" which would be violated if the
>> >          validating client did an HTTPS RR lookup in the DNS and followed the
>> >          instructions in RFC 9460 section 9.5.
>> > 
>> >          Instructions:
>> >          -------------
>> >          This erratum is currently posted as "Reported". (If it is spam, it
>> >          will be removed shortly by the RFC Production Center.) Please
>> >          use "Reply All" to discuss whether it should be verified or
>> >          rejected. When a decision is reached, the verifying party 
>> >          will log in to change the status and edit the report, if necessary.
>> > 
>> >          --------------------------------------
>> >          RFC8555 (draft-ietf-acme-acme-18)
>> >          --------------------------------------
>> >          Title               : Automatic Certificate Management Environment
>> >          (ACME)
>> >          Publication Date    : March 2019
>> >          Author(s)           : R. Barnes, J. Hoffman-Andrews, D. McCarney, J.
>> >          Kasten
>> >          Category            : PROPOSED STANDARD
>> >          Source              : Automated Certificate Management Environment
>> >          Stream              : IETF
>> >          Verifying Party     : IESG
>> > 
>> > Links:
>> > 1. mailto:erik%2Bietf@nygren.org <mailto:erik%252Bietf@nygren.org>/
>> > 2. mailto:rlb@ipv.sx/
>> > 3. https://urldefense.com/v3/__https://mailarchive.ietf.org/arch/msg/acme/zSDRngwBWTgsCfNPcAp6tGO1Ba4/__;!!GjvTz_vk!RAD5VXwqPE8seyvrvjs4dx_HdssruykT5XU8fjK1JJ5b2t2EOGp4uVBLbMVHsLBMRIqb9DL7F3C8mHiJrw$
>> > 4. mailto:rfc-editor@rfc-editor.org/
>> > 5. https://urldefense.com/v3/__https://www.rfc-editor.org/errata/eid8381__;!!GjvTz_vk!RAD5VXwqPE8seyvrvjs4dx_HdssruykT5XU8fjK1JJ5b2t2EOGp4uVBLbMVHsLBMRIqb9DL7F3ByRaNYsg$
>> > 6. mailto:erik%2Bietf@nygren.org <mailto:erik%252Bietf@nygren.org>/
> _______________________________________________
> Acme mailing list -- acme@ietf.org
> To unsubscribe send an email to acme-leave@ietf.org

v2.31.3 | Report a Bug | By Email | System Status