Re: [Acme] [Technical Errata Reported] RFC8555 (6843)
Benjamin Kaduk <kaduk@mit.edu> Wed, 09 February 2022 06:54 UTC
Return-Path: <kaduk@mit.edu>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 282B83A0E46 for <acme@ietfa.amsl.com>; Tue, 8 Feb 2022 22:54:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.498
X-Spam-Level:
X-Spam-Status: No, score=-1.498 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, KHOP_HELO_FCRDNS=0.399, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wyOHVeltxlzZ for <acme@ietfa.amsl.com>; Tue, 8 Feb 2022 22:54:37 -0800 (PST)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 191A63A0E4F for <acme@ietf.org>; Tue, 8 Feb 2022 22:54:32 -0800 (PST)
Received: from kduck.mit.edu ([24.16.140.251]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 2196sHZL019538 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 9 Feb 2022 01:54:22 -0500
Date: Tue, 08 Feb 2022 22:54:16 -0800
From: Benjamin Kaduk <kaduk@mit.edu>
To: jdkasten@umich.edu
Cc: rlb@ipv.sx, jsha@eff.org, cpu@letsencrypt.org, rdd@cert.org, decoole@nsa.gov, debcooley1@gmail.com, ynir.ietf@gmail.com, acme@ietf.org, RFC Errata System <rfc-editor@rfc-editor.org>
Message-ID: <20220209065416.GT48552@kduck.mit.edu>
References: <20220208202323.A644DE9747@rfc-editor.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20220208202323.A644DE9747@rfc-editor.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/Y-f-UbrTNI971Vju_-bRZmhtHww>
X-Mailman-Approved-At: Wed, 09 Feb 2022 06:35:34 -0800
Subject: Re: [Acme] [Technical Errata Reported] RFC8555 (6843)
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Feb 2022 06:54:42 -0000
Is there particular guidance from Section 10 that you had in mind to justify the following of the redirect? In light of the role of errata reports as indicating errors in the specification at the time it was published, I think the processing options here are either "hold for document update" or "rejected". -Ben On Tue, Feb 08, 2022 at 12:23:23PM -0800, RFC Errata System wrote: > The following errata report has been submitted for RFC8555, > "Automatic Certificate Management Environment (ACME)". > > -------------------------------------- > You may review the report below and at: > https://www.rfc-editor.org/errata/eid6843 > > -------------------------------------- > Type: Technical > Reported by: James Kasten <jdkasten@umich.edu> > > Section: 8.3 > > Original Text > ------------- > Because many web servers > allocate a default HTTPS virtual host to a particular low-privilege > tenant user in a subtle and non-intuitive manner, the challenge must > be completed over HTTP, not HTTPS. > > > Corrected Text > -------------- > Because many web servers > allocate a default HTTPS virtual host to a particular low-privilege > tenant user in a subtle and non-intuitive manner, the challenge must > be initiated over HTTP, not HTTPS. > > Notes > ----- > Completing the entire http-01 challenge over HTTP is unnecessary. The threat of default HTTPS virtual hosts is remediated by "initiating" the http-01 challenge over HTTP. Validation servers which redirect from HTTP to HTTPS should be permitted following the rest of the guidance within Section 10, Security Considerations. > > Instructions: > ------------- > This erratum is currently posted as "Reported". If necessary, please > use "Reply All" to discuss whether it should be verified or > rejected. When a decision is reached, the verifying party > can log in to change the status and edit the report, if necessary. > > -------------------------------------- > RFC8555 (draft-ietf-acme-acme-18) > -------------------------------------- > Title : Automatic Certificate Management Environment (ACME) > Publication Date : March 2019 > Author(s) : R. Barnes, J. Hoffman-Andrews, D. McCarney, J. Kasten > Category : PROPOSED STANDARD > Source : Automated Certificate Management Environment > Area : Security > Stream : IETF > Verifying Party : IESG
- [Acme] [Technical Errata Reported] RFC8555 (6843) RFC Errata System
- Re: [Acme] [Technical Errata Reported] RFC8555 (6… Benjamin Kaduk
- Re: [Acme] [Technical Errata Reported] RFC8555 (6… James Kasten
- Re: [Acme] [Technical Errata Reported] RFC8555 (6… Jacob Hoffman-Andrews
- Re: [Acme] [Technical Errata Reported] RFC8555 (6… Deb Cooley
- Re: [Acme] [Technical Errata Reported] RFC8555 (6… Jacob Hoffman-Andrews