IETF Logo Mail Archive

[Acme] Re: Interactions between HTTPS RRs (rfc9460) and HTTP-01 DV

Michael Richardson <mcr+ietf@sandelman.ca> Wed, 16 April 2025 18:11 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: acme@mail2.ietf.org
Delivered-To: acme@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 409711D332C1 for <acme@mail2.ietf.org>; Wed, 16 Apr 2025 11:11:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -4.398
X-Spam-Level:
X-Spam-Status: No, score=-4.398 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=sandelman.ca
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hON5hu4BcPoT for <acme@mail2.ietf.org>; Wed, 16 Apr 2025 11:11:36 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id E65571D332B3 for <acme@ietf.org>; Wed, 16 Apr 2025 11:11:36 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id 5D7E81800F; Wed, 16 Apr 2025 14:11:36 -0400 (EDT)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavis, port 10024) with LMTP id aF4owLDqeCr0; Wed, 16 Apr 2025 14:11:35 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sandelman.ca; s=mail; t=1744827095; bh=Fqgt9ahoImHzCICuIXCE+OJ4LCrIVNjcCRtTyDMiTUk=; h=From:To:cc:Subject:In-Reply-To:References:Date:From; b=m+gE/zDua8OfQpKhPVQBNJ+m+FAdm4MalFfEJ31IistKEXX313tR5ElUtNEOkLaXO zAUSht0yFzDNnKSF88Pk5CNskdbmVJCwAXOqga/G3L1n+3rAR7kF4u7+qX1ChEts0s 69WldNv4BGIGrCjbJn7Bfbl9//f8vjL3GV76Ui177nXhBFJjFSSl0pCuqArq0rS+Iu BO+JDDS5oF3+RY8XA4JyAZjqgZURLkFUNmWdKPK3GUuhVGdcxN2omP0sPck6Oupm1H LzVeeL+Orao6dL5iZ5Jax9vdKSLR3R+p/hCG7IehUTmEjyH0itLaGwKmbOv2Yxx8N3 rzCkW0ZVF/gLQ==
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id 003B51800E; Wed, 16 Apr 2025 14:11:34 -0400 (EDT)
Received: from obiwan.sandelman.ca (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id EDD116EE; Wed, 16 Apr 2025 14:11:34 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Benjamin Kaduk <kaduk@mit.edu>
In-Reply-To: <Z__vC4BqjsdvOM7W@kduck.mit.edu>
References: <CAKC-DJiDx7onEahH7KcYHykzf7iqGbOgjKD45BNHcE+AmHgoWg@mail.gmail.com> <22779.1744755025@obiwan.sandelman.ca> <CAKC-DJhaAiepBjTyANko7v5cq0WxtUYVBnOAoFnQnwx-_sZYCw@mail.gmail.com> <1dfc3e86-2f99-4f47-9f5e-e18dd58eb746@cs.tcd.ie> <CAKC-DJgNYOrj5ULiTrwZV0K8OummJ8opRfyJ=DVCYgMdiSoxEg@mail.gmail.com> <CAL02cgS5VAP1kiLgKKwKs4PzFg0_H6kFUxpSoqQ4uOV5+uejMA@mail.gmail.com> <CAKC-DJiwY_oDg63moYmPQbSSSz=ThXnc-h=Gc7b4JJhfX8VU0Q@mail.gmail.com> <Z__vC4BqjsdvOM7W@kduck.mit.edu>
X-Mailer: MH-E 8.6+git; nmh 1.8+dev; GNU Emacs 28.2
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0;<'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Wed, 16 Apr 2025 14:11:34 -0400
Message-ID: <11909.1744827094@obiwan.sandelman.ca>
Message-ID-Hash: RFCCBAC66BWMRCBRKVIHM5BX5CIA6OK7
X-Message-ID-Hash: RFCCBAC66BWMRCBRKVIHM5BX5CIA6OK7
X-MailFrom: mcr+ietf@sandelman.ca
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-acme.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Erik Nygren <erik+ietf@nygren.org>, Richard Barnes <rlb@ipv.sx>, Stephen Farrell <stephen.farrell@cs.tcd.ie>, IETF ACME <acme@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [Acme] Re: Interactions between HTTPS RRs (rfc9460) and HTTP-01 DV
List-Id: Automated Certificate Management Environment <acme.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/oZTFojy9DF1ymyqTuifUwStyrKo>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Owner: <mailto:acme-owner@ietf.org>
List-Post: <mailto:acme@ietf.org>
List-Subscribe: <mailto:acme-join@ietf.org>
List-Unsubscribe: <mailto:acme-leave@ietf.org>

Benjamin Kaduk <kaduk@mit.edu> wrote:
    > "The HTTP client MUST ignore the presence and content of any HTTPS DNS RRs
    > [RFC 9460] for the domain name being verified.  This includes, but is not
    > limited to, a requirement that the HTTP client MUST NOT apply the strict
    > transport security behavior specified in Section 9.5 of [RFC9460]."

Well worded.

--
Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
           Sandelman Software Works Inc, Ottawa and Worldwide

v2.30.2 | Report a Bug | By Email | System Status