Re: [Acme] [Errata Held for Document Update] RFC8555 (6843)
Deb Cooley <debcooley1@gmail.com> Mon, 15 January 2024 12:47 UTC
Return-Path: <debcooley1@gmail.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2FDE9C14F5FF for <acme@ietfa.amsl.com>; Mon, 15 Jan 2024 04:47:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.855
X-Spam-Level:
X-Spam-Status: No, score=-1.855 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rtxKgJwBmgPL for <acme@ietfa.amsl.com>; Mon, 15 Jan 2024 04:47:26 -0800 (PST)
Received: from mail-io1-xd2d.google.com (mail-io1-xd2d.google.com [IPv6:2607:f8b0:4864:20::d2d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9DBC9C14F5FC for <acme@ietf.org>; Mon, 15 Jan 2024 04:47:26 -0800 (PST)
Received: by mail-io1-xd2d.google.com with SMTP id ca18e2360f4ac-7ba9f1cfe94so222517739f.1 for <acme@ietf.org>; Mon, 15 Jan 2024 04:47:26 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1705322845; x=1705927645; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=0XS8Ty6VZZT3mWFmNvWTWnhY1KGziWdL9xzMFRbafIU=; b=ChqH4Fyd31ZLNPBqwjKqtzStsAcKBd64JptRUFVopJBu+31/8lOB60iqStkZNSFEQO 3BDlqxIS04TplQ1xyagIVvbl8OBlxqIiTJYk/A2fGppHh1RvNBx55wjMy0l7U2OcbD+X HWQ3mKdC56lOvmDxr/14+X5k5RYEaMBGHoNaxzPa8meV+3Yd4J1J+CNfDnxJE4WtkCeb xScnFb3V7SoyJejUMMkskLJYi7H/XC+qLkHfnXtC2MTPr/fbdzHDpxG25urCSBApIx0r mMXP/NVQEcAbje9+hxhkZC7BKDx9pioOUMPXhIejccoe1HOlMvbTj6fbehE9kRU62dYy MxAQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1705322845; x=1705927645; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=0XS8Ty6VZZT3mWFmNvWTWnhY1KGziWdL9xzMFRbafIU=; b=VZUCSF6vHMjyowYfyKjubQJS6NFhjZ6wWy53S/5HXZGL+VMIorKXtGglu7d2cXxeRP Fa5TushYr2zh7py0v9LMQZB5AhnksiqMb2C2onsERXN31A1kTo5kzaEyx+mnU9RR4V0E SCeAweyLqas8SL5w7dh8TDQRgM13Am6R49PhsS9AS81o36RgESDepiKZUfY652miyxXS AR2Y9V7L303qwIo/0C6LPtyrvzXK2xFsXdSEX5t5KH/PZOGWFxNgtNpcKYFvtCYMa0ba fGXwqQQpjWrJ0RMKssBiY5J9wEc6w4wcKyLqBuNSMiKn1bMtjO3eMyue6XgFhGGBkgr1 I57w==
X-Gm-Message-State: AOJu0Yx+7mJ9mNygXZocfdoVv8Y6FaQGdY+3ckrjhsh1iDd0naJDPX0W VOX0sYWPfNWD4sqrPTk4JppJZ4cEif6aEmTz1g==
X-Google-Smtp-Source: AGHT+IEmmPGgJwpWSjlNsexYMftx5HjrMzh+nMvkE1X56Kei4AkfeIeEvMQdGPEAJrr1Dcv5GbCriGwXfRuSYY5gJBc=
X-Received: by 2002:a05:6e02:1351:b0:35f:9abc:ed13 with SMTP id k17-20020a056e02135100b0035f9abced13mr3435237ilr.11.1705322845590; Mon, 15 Jan 2024 04:47:25 -0800 (PST)
MIME-Version: 1.0
References: <CAChr6SypX6PN_00OQUzRbtyXeQYsuVeZeRjg9Xosk8uRTkzr2Q@mail.gmail.com> <CAEmnErfE=-HMKkf4MHUfYCLam0baWA+QnAA7tg_tREtPFvRhdQ@mail.gmail.com> <CAChr6SzGo-4RZ0TwfqcJhy4FzL53LmsWHpe9EmN5eN_GDhdLzw@mail.gmail.com> <CAOG=JU+YFE826M7aW_KJRXNw639QjvVgH4WryPJ++Xq+BGS+Uw@mail.gmail.com> <CAChr6Syg80PWYDBDA872gyUkPoVKWvr2zsRmOUs16mGawQPa6g@mail.gmail.com> <CAGgd1Oc2=yXQvw+0sLZ+q5FKeg8N7_jxC-MdjaV9pjsmCNaEow@mail.gmail.com> <CAChr6SwAYSn4eEVvnce7XR18G8KPixFG_BbHRKzSKMrkEv4Nig@mail.gmail.com> <CAEmnErdY9umopZBBy4i6-2WcZotkopKquDPTRfaTCnURL49t=w@mail.gmail.com> <CAChr6Swap48ZkNRxxkdqQ_2YSgDzg4CG-dJGdJUiA05GYzBOMw@mail.gmail.com> <CAGgd1Oc7Mb9FKZWxFFB3bYwR+b7g09u6bcGk6oVDQgPm6Fqg+A@mail.gmail.com> <CAChr6SzKxz+-E45YmGsQZVz9Vy377quBKMNXiAwfEKDJWgxgFA@mail.gmail.com>
In-Reply-To: <CAChr6SzKxz+-E45YmGsQZVz9Vy377quBKMNXiAwfEKDJWgxgFA@mail.gmail.com>
From: Deb Cooley <debcooley1@gmail.com>
Date: Mon, 15 Jan 2024 07:47:06 -0500
Message-ID: <CAGgd1OfBLBN4e1A-G+y9L0BQNg_=bE2ukN16SzRdioUK5N28JA@mail.gmail.com>
To: Rob Sayre <sayrer@gmail.com>
Cc: IETF ACME <acme@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000007059f0060efb6a82"
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/qRD9BQMrtiS5mgPMXerxxtqw5uU>
Subject: Re: [Acme] [Errata Held for Document Update] RFC8555 (6843)
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Jan 2024 12:47:27 -0000
Again 'hold for update' is the only logical choice. We aren't fixing vague language with an errata. When this RFC comes up for update, I hope you will participate. Deb On Mon, Jan 15, 2024 at 7:41 AM Rob Sayre <sayrer@gmail.com> wrote: > On Mon, Jan 15, 2024 at 3:42 AM Deb Cooley <debcooley1@gmail.com> wrote: > >> Items being brought up for discussion need to have specific and >> concrete examples within scope. >> > > I think the issue is that the spec is not specific or concrete: > > "Because many web servers > allocate a default HTTPS virtual host to a particular low-privilege > tenant user in a subtle and non-intuitive manner, the challenge must > be completed over HTTP, not HTTPS." > > That sentence is very vague, and also seems to preclude HSTS as specified > in RFC 6797.* > > I can understand that HTTP (rather than HTTPS) might need to be used > sometimes, but requiring it seems to conflict with HSTS, and enable the > exact attack HSTS aims to address. The erratum suggests a redirect, but > HSTS also aims to avoid that. At first, I thought there might be a > bootstrapping problem. But, if that were the case, the redirect in the > erratum wouldn't work either. > > thanks, > Rob > > * https://datatracker.ietf.org/doc/html/rfc6797 >
- Re: [Acme] [Errata Held for Document Update] RFC8… Rob Sayre
- [Acme] [Errata Held for Document Update] RFC8555 … RFC Errata System
- Re: [Acme] [Errata Held for Document Update] RFC8… Rob Sayre
- Re: [Acme] [Errata Held for Document Update] RFC8… Amir Omidi
- Re: [Acme] [Errata Held for Document Update] RFC8… Aaron Gable
- Re: [Acme] [Errata Held for Document Update] RFC8… Rob Sayre
- Re: [Acme] [Errata Held for Document Update] RFC8… Seo Suchan
- Re: [Acme] [Errata Held for Document Update] RFC8… Deb Cooley
- Re: [Acme] [Errata Held for Document Update] RFC8… Seo Suchan
- Re: [Acme] [Errata Held for Document Update] RFC8… Rob Sayre
- Re: [Acme] [Errata Held for Document Update] RFC8… Aaron Gable
- Re: [Acme] [Errata Held for Document Update] RFC8… Rob Sayre
- Re: [Acme] [Errata Held for Document Update] RFC8… Deb Cooley
- Re: [Acme] [Errata Held for Document Update] RFC8… Rob Sayre
- Re: [Acme] [Errata Held for Document Update] RFC8… Seo Suchan
- Re: [Acme] [Errata Held for Document Update] RFC8… Deb Cooley
- Re: [Acme] [Errata Held for Document Update] RFC8… Rob Sayre