IETF Logo Mail Archive

[Acme] Re: [Technical Errata Reported] RFC8555 (8381)

Richard Barnes <rlb@ipv.sx> Fri, 18 April 2025 01:31 UTC

Return-Path: <rlb@ipv.sx>
X-Original-To: acme@mail2.ietf.org
Delivered-To: acme@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 59D021DE7DF6 for <acme@mail2.ietf.org>; Thu, 17 Apr 2025 18:31:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20230601.gappssmtp.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id d7kVAvb4RfJt for <acme@mail2.ietf.org>; Thu, 17 Apr 2025 18:31:14 -0700 (PDT)
Received: from mail-il1-x12e.google.com (mail-il1-x12e.google.com [IPv6:2607:f8b0:4864:20::12e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 5F8C61DE7DEF for <acme@ietf.org>; Thu, 17 Apr 2025 18:31:14 -0700 (PDT)
Received: by mail-il1-x12e.google.com with SMTP id e9e14a558f8ab-3d81cdbfeceso5322585ab.3 for <acme@ietf.org>; Thu, 17 Apr 2025 18:31:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20230601.gappssmtp.com; s=20230601; t=1744939873; x=1745544673; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=OkAio1w0dINyX/g6i40zSuHkYOHsUdWPgO1VD8v0TMQ=; b=laDxQckF7oHNyO81tEE3lrs0petzkN5QyxIFhMJftjaV8/o5Pta/SIgAu4Qveg1HT7 UBXbebinfO7VTaYPS4o6JWeN8apHHOEsG7IAv3PnOyEa6XH1++T9aOx7YXqdLwKgDv69 THrATgF2z9tlv0tz65aS8oPkSkCNzGSNK7lBZMAnKYTKEFszoq1sP8eQkAkCKQ08hTI4 kZjHz5LuN199u85ZU8PZ2N0zZGQmxCJcjCq+6iYwWxZf3xV/PxOJxfWFnjJrQUtW4oXR jhUSuNB9Cv9Y4H/kop8v/SLuWP+bCi38Cfntue7Xw7hkiuH4lDs/gIf0CTDhNBara7mF 5Ldg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1744939873; x=1745544673; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=OkAio1w0dINyX/g6i40zSuHkYOHsUdWPgO1VD8v0TMQ=; b=azo42NFTNadWog9RWaV2PLQRRfNalOL448dRDHjFUa27MagOXeT/Xo4TQEm9trnSh2 5IXuuhgZavgrs1LE7m1LjPDBzgsBRQsUlQsfvPTZV1zJjip/tLMqAOHfrzz/3IkgMVWx EXu1E7hefCxEVhdgaXQW9yellUN95NZjyK8Ie6/EPJHJIgeRv+CbZFIws9QzmFAvcq2+ QutXDuAqinysFKEBIZZTdQOFWp1tMZTPF+g0IK6mwmu9xKRktxNC1wInbJz3vnak8WMQ NxlaEZ+8VEoB9o0M9yq/w8+sUMGzNorGE4dJ8WGg3Ldw5R6RBSFlogEC7E0q1Xpfi2q6 +tPQ==
X-Forwarded-Encrypted: i=1; AJvYcCUBvwnKqFrANuD9KQ7O6dBIosujNpjGvTjs9H22LNdiNafzamqKe9HldM8s8yPvgJbVMxpC@ietf.org
X-Gm-Message-State: AOJu0YxgSNAnK8N4r5vUOw37BtSA2D1cokH7cfuXP/mvlvRPIUYHDhZv wnu9Gpdt7bdczwX7P3EX/p3b2vhstVl6BuSjqnq3IxJpGrZUhNfm7dbO6RuYeQDXsjwvO4JDGWN eO3BtaZvYoa4mZ+DhX+3S801qvsFKWCQWqz+aFQyoe5cCJiRI2rA=
X-Gm-Gg: ASbGncuqFP8Ck36py8AWQSqbKv/UxsbozWjc2xPcqC+KHy5vgwjN8WXT+XBGiYzygVT n2Zo+HDhLt7y7QYlUhGWRMYJqoKwGQO1r4AFsFn62OiezH026Kdm/YdN3wAzU077qOsNEhKdpwg h4zLj46/7mDo12bxiPyMawxaruNGLpfBEbx2KtTZmg9tynOTXLqwKmFIjx
X-Google-Smtp-Source: AGHT+IFYz3jYKB9wt+YuezWx3LNyb5Gk5GzUKXns6XE9Xk5VLsJ+uXsreQ/2YJ85T73N1m2rIYYGTXER8gP78UhR4Us=
X-Received: by 2002:a05:6e02:2707:b0:3d8:2178:5c63 with SMTP id e9e14a558f8ab-3d88ed78723mr9995815ab.4.1744939873248; Thu, 17 Apr 2025 18:31:13 -0700 (PDT)
MIME-Version: 1.0
References: <20250415224926.759AB22A2CB@rfcpa.rfc-editor.org> <CAL02cgT+H1ouY6o9dYhDaFAe9GA7rfO9izXMV3BOhOX5CCgdJA@mail.gmail.com> <CAKC-DJgfjzUzLoLxmcM9UzyPfa_tQMOOdKxPqbzS1mn9UxNMNw@mail.gmail.com> <CAGgd1OdiU38LQFHzfcbbGd3BtgSryGaMwobxBDmLZj_725O=aA@mail.gmail.com> <aAFZDIJRdeFpIOi9@akamai.com>
In-Reply-To: <aAFZDIJRdeFpIOi9@akamai.com>
From: Richard Barnes <rlb@ipv.sx>
Date: Thu, 17 Apr 2025 21:31:02 -0400
X-Gm-Features: ATxdqUHA13A7-M8w6FrnjfugR-tTA_TDoR4MsyKkT7BjPMfwRexSpgJbUFhl1iU
Message-ID: <CAL02cgSqrFEocCqoewvLepfOAiCzw+mPkv_Ev=u_ds+QipdQSQ@mail.gmail.com>
To: Benjamin Kaduk <bkaduk@akamai.com>
Content-Type: multipart/alternative; boundary="0000000000004cd01d06330379fb"
Message-ID-Hash: ORFW5RKVPG7UXEL34BZG7KRLIOBN75EV
X-Message-ID-Hash: ORFW5RKVPG7UXEL34BZG7KRLIOBN75EV
X-MailFrom: rlb@ipv.sx
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-acme.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Deb Cooley <debcooley1@gmail.com>, Erik Nygren <erik+ietf@nygren.org>, jsha@eff.org, cpu@letsencrypt.org, jdkasten@umich.edu, acme@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [Acme] Re: [Technical Errata Reported] RFC8555 (8381)
List-Id: Automated Certificate Management Environment <acme.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/orYEjoiRJVvuoMa5z6fNdgs9YzQ>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Owner: <mailto:acme-owner@ietf.org>
List-Post: <mailto:acme@ietf.org>
List-Subscribe: <mailto:acme-join@ietf.org>
List-Unsubscribe: <mailto:acme-leave@ietf.org>

Just replace "errata" in your mind with "small change we would just make to
the document if the RFC publication process weren't so sclerotic", and it
makes perfect sense.

--RLB

On Thu, Apr 17, 2025 at 3:40 PM Benjamin Kaduk <bkaduk@akamai.com> wrote:

> Hi Deb,
>
> That matches my understanding of the proposal.
>
> (I always get a bit nervous about using "Verified" for new text that
> points to
> references that didn't exist at the time of the publication of the original
> RFC, but maybe that's just me.  And I guess draft-ietf-dnsop-svcb-httpssvc
> was
> around then, technically speaking.)
>
> -Ben
>
> On Wed, Apr 16, 2025 at 07:35:22PM -0400, Deb Cooley wrote:
> >    This Message Is From an External Sender
> >    This message came from outside your organization.
> >
> >    Trimming the to line so it doesn't get stuck in moderation.....
> >    I'm just making sure that I know what needs to be done when I next go
> in
> >    to mark this errata as verified (not today, BTW).
> >    I'm replacing the Corrected Text with this text?
> >    "Dereference the URL using an HTTP GET request.  This request MUST be
> sent
> >    to TCP port 80 on the HTTP server.  The HTTP client MUST ignore the
> >    presence and content of any HTTPS DNS RRs [RFC 9460] for the domain
> name
> >    being verified.  This includes, but is not limited to, a requirement
> that
> >    the HTTP client MUST NOT apply the strict transport security behavior
> >    specified in Section 9.5 of [RFC9460]."
> >    And then not touching the original text or the notes.
> >    If I've gotten this wrong, it might be easier to file another errata
> and
> >    I'll reject the first and verify the second.
> >    Deb
> >    Your errata servant
> >    On Wed, Apr 16, 2025 at 2:43 PM Erik Nygren <[1]erik+ietf@nygren.org>
> >    wrote:
> >
> >      Revised proposed text from Ben Kaduk:
> >      "The HTTP client MUST ignore the presence and content of any HTTPS
> DNS
> >      RRs
> >      [RFC 9460] for the domain name being verified.  This includes, but
> is
> >      not
> >      limited to, a requirement that the HTTP client MUST NOT apply the
> strict
> >      transport security behavior specified in Section 9.5 of [RFC9460]."
> >      On Wed, Apr 16, 2025 at 10:41 AM Richard Barnes <[2]rlb@ipv.sx>
> wrote:
> >
> >        I would mark this as Verified, though I suggested a couple of
> friendly
> >        amendments on the mailing list:
> >
> >        [3]
> https://mailarchive.ietf.org/arch/msg/acme/zSDRngwBWTgsCfNPcAp6tGO1Ba4/
> >        On Tue, Apr 15, 2025 at 6:49 PM RFC Errata System
> >        <[4]rfc-editor@rfc-editor.org> wrote:
> >
> >          The following errata report has been submitted for RFC8555,
> >          "Automatic Certificate Management Environment (ACME)".
> >
> >          --------------------------------------
> >          You may review the report below and at:
> >          [5]https://www.rfc-editor.org/errata/eid8381
> >
> >          --------------------------------------
> >          Type: Technical
> >          Reported by: Erik Nygren <[6]erik+ietf@nygren.org>
> >
> >          Section: 8.3
> >
> >          Original Text
> >          -------------
> >             3.  Dereference the URL using an HTTP GET request.  This
> request
> >          MUST
> >                 be sent to TCP port 80 on the HTTP server.
> >
> >          Corrected Text
> >          --------------
> >             3.  Dereference the URL using an HTTP GET request.  This
> request
> >          MUST
> >                 be sent to TCP port 80 on the HTTP server.  (The HTTP
> client
> >          must
> >                 not resolve and/or must ignore any HTTPS DNS RRs [RFC
> 9460].)
> >
> >          Notes
> >          -----
> >          Doing a DNS lookup of an HTTPS DNS RR [RFC 9460] might force the
> >          client to switch from HTTP to HTTPS scheme which would break
> HTTP-01
> >          lookups.  The RFC8555 text is clear that "request MUST be sent
> to
> >          TCP port 80 on the HTTP server" which would be violated if the
> >          validating client did an HTTPS RR lookup in the DNS and
> followed the
> >          instructions in RFC 9460 section 9.5.
> >
> >          Instructions:
> >          -------------
> >          This erratum is currently posted as "Reported". (If it is spam,
> it
> >          will be removed shortly by the RFC Production Center.) Please
> >          use "Reply All" to discuss whether it should be verified or
> >          rejected. When a decision is reached, the verifying party
> >          will log in to change the status and edit the report, if
> necessary.
> >
> >          --------------------------------------
> >          RFC8555 (draft-ietf-acme-acme-18)
> >          --------------------------------------
> >          Title               : Automatic Certificate Management
> Environment
> >          (ACME)
> >          Publication Date    : March 2019
> >          Author(s)           : R. Barnes, J. Hoffman-Andrews, D.
> McCarney, J.
> >          Kasten
> >          Category            : PROPOSED STANDARD
> >          Source              : Automated Certificate Management
> Environment
> >          Stream              : IETF
> >          Verifying Party     : IESG
> >
> > Links:
> > 1. mailto:erik%2Bietf@nygren.org/
> > 2. mailto:rlb@ipv.sx/
> > 3.
> https://urldefense.com/v3/__https://mailarchive.ietf.org/arch/msg/acme/zSDRngwBWTgsCfNPcAp6tGO1Ba4/__;!!GjvTz_vk!RAD5VXwqPE8seyvrvjs4dx_HdssruykT5XU8fjK1JJ5b2t2EOGp4uVBLbMVHsLBMRIqb9DL7F3C8mHiJrw$
> > 4. mailto:rfc-editor@rfc-editor.org/
> > 5.
> https://urldefense.com/v3/__https://www.rfc-editor.org/errata/eid8381__;!!GjvTz_vk!RAD5VXwqPE8seyvrvjs4dx_HdssruykT5XU8fjK1JJ5b2t2EOGp4uVBLbMVHsLBMRIqb9DL7F3ByRaNYsg$
> > 6. mailto:erik%2Bietf@nygren.org/
>

v2.31.3 | Report a Bug | By Email | System Status