IETF Logo Mail Archive

[Acme] Re: [Technical Errata Reported] RFC8555 (8381)

Richard Barnes <rlb@ipv.sx> Wed, 16 April 2025 14:41 UTC

Return-Path: <rlb@ipv.sx>
X-Original-To: acme@mail2.ietf.org
Delivered-To: acme@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 2C69C1D0A5B7 for <acme@mail2.ietf.org>; Wed, 16 Apr 2025 07:41:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20230601.gappssmtp.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Xc02UiWX7wrV for <acme@mail2.ietf.org>; Wed, 16 Apr 2025 07:41:22 -0700 (PDT)
Received: from mail-il1-x133.google.com (mail-il1-x133.google.com [IPv6:2607:f8b0:4864:20::133]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id D25C41D0A4BF for <acme@ietf.org>; Wed, 16 Apr 2025 07:41:15 -0700 (PDT)
Received: by mail-il1-x133.google.com with SMTP id e9e14a558f8ab-3d6d84923c8so21422955ab.0 for <acme@ietf.org>; Wed, 16 Apr 2025 07:41:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20230601.gappssmtp.com; s=20230601; t=1744814475; x=1745419275; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=PHfE7H625W+ZlmRNjuf8tGtMrE6KKjqrkBH8j0DWqBU=; b=zBZgoTplV86b4yO4yVNZ6bgLElkF8LDYuZE9jViwgRkYoWtIJH/2ECtMwVhy+uVbRd 6HZo5veNbTw0bslUUOAdG/bQe3l17V8/vWuxsU0ecnJuoCSGZXPJgYs44rRHss0hZDoR h7Ltwx2dFjk9u/v7M5oDzvNOpMNTtz9vqI2YY0BB8B41lx9Kq0PFrsOAyXiBpogX8rHb CqvoMsHCQhNC0SyXwuSPso5mQmCO0ZQUi99Sv1OrAbeCRCZ7xwjLYS7Z6B6uxO+Hj57S orjFzD1uFnLK6cLm2m1DYmdZXmgBV+r6ldx3nwgcboicGkEz52re/W+sKqZHcugaSaGN Y7og==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1744814475; x=1745419275; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=PHfE7H625W+ZlmRNjuf8tGtMrE6KKjqrkBH8j0DWqBU=; b=MbrcfC/u/PJ4qT7ylMjukbBZ+Q4dAmecBod9eFS/pbNelrBbS4lphyfCjelQ5fl9dV kthLkUgpzLEJT0XJRBsOCcenOe9hOhlyFCVnsTw7s3yKXhidxNqFoubFhQgy3F6gZ8nx xklRSctOyIX8MxERj7SyA14QMN8gLaWLWYD/ZhWPeM7oSOH56NSqITFXsbe/ahquMUWQ rEKONbavI0zngyNHjuV8KvX1MwecRMhVQoUQMZZtb6T8xFfoBMO2KFdHDmQR5n7z0Nhe s3rtKwzmMJpdnnkljBOcRbycyulrQ3xQk2Z4dtJU1JhMeq3wLyCZ9rCdi6qnm2PlPoBv 1/cQ==
X-Forwarded-Encrypted: i=1; AJvYcCUAjazrKp4wNv8rtnXVDQVTUvuQu8AhSY7jww8SG1Ct84X/TZtl8wCqaW3Etcrzs+PxeTMc@ietf.org
X-Gm-Message-State: AOJu0YxpThKSfk1WRPvyqMS5kfXHEtRhJdoOkXullNbWHf3Ptia3iouH vyw5bVIgZ7Ay7iG/a3GvsZmTmCJQvGXzAK/UOzOtbg5PHhE7xv94HmWS47w5/JDbz21W5+mxlgN Ww19RUw9rUWYRNXtvJ2UhCHzzAoDABOQjYS59CA==
X-Gm-Gg: ASbGncu8MB+E2Uzt1BDnF/hc57ppv+XXnf/JE5jx3QE+RfbTBXmMHtEGmnUnFME9lTO nriKrcgNh5E4aD4D/E6uEzrOnxo2+R2pmdzdApgbu4REtGk05vrJtgja2fpVXbzGjeaUYBCtR72 J58gM3sNS62hKP+6WPQMEA8SQ=
X-Google-Smtp-Source: AGHT+IF+WQdn8kMA5xX6jeRLB45/6Ey8erAjec2dRqFIIiW7VAEqmfGbhna7w64PDY3DbtjEI0tAczNBXcr1gLG03XE=
X-Received: by 2002:a05:6e02:2507:b0:3d6:cbed:3305 with SMTP id e9e14a558f8ab-3d815b10dd6mr16553785ab.10.1744814475110; Wed, 16 Apr 2025 07:41:15 -0700 (PDT)
MIME-Version: 1.0
References: <20250415224926.759AB22A2CB@rfcpa.rfc-editor.org>
In-Reply-To: <20250415224926.759AB22A2CB@rfcpa.rfc-editor.org>
From: Richard Barnes <rlb@ipv.sx>
X-Gm-Features: ATxdqUGcVfhlKlpFZ1rvzJc4f79KVqiW6AgWYWMHMarq7qC_Et5z7VdKpeqZqDQ
Message-ID: <CAL02cgT+H1ouY6o9dYhDaFAe9GA7rfO9izXMV3BOhOX5CCgdJA@mail.gmail.com>
To: RFC Errata System <rfc-editor@rfc-editor.org>
Content-Type: multipart/alternative; boundary="000000000000fd09c80632e64687"
X-MailFrom: rlb@ipv.sx
X-Mailman-Rule-Hits: max-recipients
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-acme.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-size; news-moderation; no-subject; digests; suspicious-header
Message-ID-Hash: RTEZJKD7XIAKHGBFPUHUC2LUPI4CGTXJ
X-Message-ID-Hash: RTEZJKD7XIAKHGBFPUHUC2LUPI4CGTXJ
X-Mailman-Approved-At: Thu, 17 Apr 2025 05:03:55 -0700
CC: jsha@eff.org, cpu@letsencrypt.org, jdkasten@umich.edu, debcooley1@gmail.com, paul.wouters@aiven.io, ynir.ietf@gmail.com, tomofumi.okubo@gmail.com, erik+ietf@nygren.org, acme@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [Acme] Re: [Technical Errata Reported] RFC8555 (8381)
List-Id: Automated Certificate Management Environment <acme.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/c30qoBMIfaCJcc931Pv34TN7sEY>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Owner: <mailto:acme-owner@ietf.org>
List-Post: <mailto:acme@ietf.org>
List-Subscribe: <mailto:acme-join@ietf.org>
List-Unsubscribe: <mailto:acme-leave@ietf.org>
Date: Wed, 16 Apr 2025 14:41:24 -0000
X-Original-Date: Wed, 16 Apr 2025 10:41:03 -0400

I would mark this as Verified, though I suggested a couple of friendly
amendments on the mailing list:

https://mailarchive.ietf.org/arch/msg/acme/zSDRngwBWTgsCfNPcAp6tGO1Ba4/

On Tue, Apr 15, 2025 at 6:49 PM RFC Errata System <rfc-editor@rfc-editor.org>
wrote:

> The following errata report has been submitted for RFC8555,
> "Automatic Certificate Management Environment (ACME)".
>
> --------------------------------------
> You may review the report below and at:
> https://www.rfc-editor.org/errata/eid8381
>
> --------------------------------------
> Type: Technical
> Reported by: Erik Nygren <erik+ietf@nygren.org>
>
> Section: 8.3
>
> Original Text
> -------------
>    3.  Dereference the URL using an HTTP GET request.  This request MUST
>        be sent to TCP port 80 on the HTTP server.
>
> Corrected Text
> --------------
>    3.  Dereference the URL using an HTTP GET request.  This request MUST
>        be sent to TCP port 80 on the HTTP server.  (The HTTP client must
>        not resolve and/or must ignore any HTTPS DNS RRs [RFC 9460].)
>
> Notes
> -----
> Doing a DNS lookup of an HTTPS DNS RR [RFC 9460] might force the client to
> switch from HTTP to HTTPS scheme which would break HTTP-01 lookups.  The
> RFC8555 text is clear that "request MUST be sent to TCP port 80 on the HTTP
> server" which would be violated if the validating client did an HTTPS RR
> lookup in the DNS and followed the instructions in RFC 9460 section 9.5.
>
> Instructions:
> -------------
> This erratum is currently posted as "Reported". (If it is spam, it
> will be removed shortly by the RFC Production Center.) Please
> use "Reply All" to discuss whether it should be verified or
> rejected. When a decision is reached, the verifying party
> will log in to change the status and edit the report, if necessary.
>
> --------------------------------------
> RFC8555 (draft-ietf-acme-acme-18)
> --------------------------------------
> Title               : Automatic Certificate Management Environment (ACME)
> Publication Date    : March 2019
> Author(s)           : R. Barnes, J. Hoffman-Andrews, D. McCarney, J. Kasten
> Category            : PROPOSED STANDARD
> Source              : Automated Certificate Management Environment
> Stream              : IETF
> Verifying Party     : IESG
>

v2.30.2 | Report a Bug | By Email | System Status