IETF Logo Mail Archive

Re: [Acme] [Technical Errata Reported] RFC8555 (5771)

Jacob Hoffman-Andrews <jsha@eff.org> Tue, 02 July 2019 17:45 UTC

Return-Path: <jsha@eff.org>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CFFA91206C9 for <acme@ietfa.amsl.com>; Tue, 2 Jul 2019 10:45:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.002
X-Spam-Level:
X-Spam-Status: No, score=-7.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=eff.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AYDmUmt86UzK for <acme@ietfa.amsl.com>; Tue, 2 Jul 2019 10:45:13 -0700 (PDT)
Received: from mail2.eff.org (mail2.eff.org [173.239.79.204]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0A4CB1206D5 for <acme@ietf.org>; Tue, 2 Jul 2019 10:45:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=eff.org; s=mail2; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:MIME-Version: Date:Message-ID:From:References:To:Subject:Sender:Reply-To:Cc:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=PhG1VxxwZB/l8ZXK/WcRcN+Ykg9ogGzKt1ipN8hVnh8=; b=t/vhaaL+5259MW3wk1ojf7jvJN Lc4ZQUltdRUBLSucHZExqfYUjug2iwDz/ZdhqZz9Wr2WrB7j+BNTJvd93SQ+xnX7JWYHIzvgZfIhv Hajufg46peXXrcMjSZF+VTSZVZe8G1axOaxxb8bZ3zLAaYkejBUdxLxy5KCwXmOBjCnU=;
Received: ; Tue, 02 Jul 2019 10:45:11 -0700
To: acme@ietf.org
References: <20190702140400.527D3B81CB0@rfc-editor.org>
From: Jacob Hoffman-Andrews <jsha@eff.org>
Message-ID: <c22adae2-1dae-b6b7-e76f-d6ed48a1369c@eff.org>
Date: Tue, 02 Jul 2019 10:45:11 -0700
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.7.2
MIME-Version: 1.0
In-Reply-To: <20190702140400.527D3B81CB0@rfc-editor.org>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/VQxhJAQb6Pez2yRgPSN2AjGvRow>
Subject: Re: [Acme] [Technical Errata Reported] RFC8555 (5771)
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Jul 2019 17:45:17 -0000

I'm in favor of this change in spirit, but it's pretty substantive and 
will actually do the wrong thing with some existing deployments. For 
instance, https://acme-v02.api.letsencrypt.org/directory currently has:

Cache-Control: max-age=0, no-cache, no-store

Which under this language would require clients to refetch the directory 
before every request. Definitely Let's Encrypt should fix that, but 
given that RFCs are meant to reflect "rough consensus and running code," 
I'm reluctant to make such a potentially breaking change to running code 
in an errata. I also feel a little uneasy at adding a MUST that is 
currently violated by every implementation that exists.

v2.23.0 | Report a Bug | By Email