IETF Logo Mail Archive

Re: [Acme] [Errata Held for Document Update] RFC8555 (6843)

Seo Suchan <tjtncks@gmail.com> Mon, 15 January 2024 12:46 UTC

Return-Path: <tjtncks@gmail.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A3EF4C14F5FF for <acme@ietfa.amsl.com>; Mon, 15 Jan 2024 04:46:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.603
X-Spam-Level:
X-Spam-Status: No, score=-1.603 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, FROM_LOCAL_NOVOWEL=0.5, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uIcrdm7xas7E for <acme@ietfa.amsl.com>; Mon, 15 Jan 2024 04:46:53 -0800 (PST)
Received: from mail-oo1-xc35.google.com (mail-oo1-xc35.google.com [IPv6:2607:f8b0:4864:20::c35]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0E8FBC14F5FC for <acme@ietf.org>; Mon, 15 Jan 2024 04:46:53 -0800 (PST)
Received: by mail-oo1-xc35.google.com with SMTP id 006d021491bc7-59502aa878aso4094922eaf.1 for <acme@ietf.org>; Mon, 15 Jan 2024 04:46:53 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1705322812; x=1705927612; darn=ietf.org; h=content-transfer-encoding:mime-version:message-id:references :in-reply-to:user-agent:subject:to:from:date:from:to:cc:subject:date :message-id:reply-to; bh=gfdVRVhqIxIf9/bqrH5NJJaeryjVjtexa2Qfe7dDglE=; b=N/BKPVaAQCJwXdNsK0ujqUknieQOQqzuLn32t0wgg3KKIyfSgeRF5kvvYvLz4Zg4o8 TfRXO2d3GY66Lwyb4ZuBJuemnlcVcZoubtxHqVFTn8iAulyw5IkNg1ALZ9f3Zz5edhHl T9SfZi7RqMuX2EBu0Ei+1ppfmzuy3Y+chqCu+yoTALTGMfoYOF8yvAAl9/3BIUkIY+N7 sSQSsik+PXamsGm9J+LmIR7rZmBMMqhILOLoLM2vkmeMgxVzjnHEbJgU9XjOzBn1cwoz xVuJUVNuR7Ux14v95dIZYDotUV0ybFNvlSTao+Z1c6Jy7rwyYTGeXjC6CbPJlBorcggI qBRg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1705322812; x=1705927612; h=content-transfer-encoding:mime-version:message-id:references :in-reply-to:user-agent:subject:to:from:date:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=gfdVRVhqIxIf9/bqrH5NJJaeryjVjtexa2Qfe7dDglE=; b=ofdJWfgNgoqcXZB/4PitBC9qHrKZjdPMn1z5BkSVhRfklfVjMrplzO4/0wvo6DgFmJ ILgUibPneVCAdbK5i+jSxbeUrpdCUpmh1bNDfw2RQ80135EsE8z0cPV/Hr2frXcjtEwu IbxOP/7gtx10Vmx9Aw5Wspyok/892V1tNXPpqbAbgF+cBAF0tbrM16Q/gfRV70m+pVZu rrnoiigqTA1JvEF3OsYCpg7ajiFNSPgq61yIdPuEO2NiNhShI0JG/wu4hQNyoGCyOb8L xursepJ5Pe0IcutEhi3+ooC1roIWkuLu9EnWT+1xhRvRF78ft86yi4oCyKQA/vB5dIgj HpoA==
X-Gm-Message-State: AOJu0YzJKSJwCZdO8Th2wwGnzUGA4WMj5wypGYickyyJzdIdxPpsPXFv iPNwFYSDQ8xn6Iur42t8mL/aTFy1IDI=
X-Google-Smtp-Source: AGHT+IGj1jkoEGsfg1diC2i4LitVBs/WOt32+M4byS5mhlQeFh7qLlMI9fSxcBSXYvU1Sejd2sd4aQ==
X-Received: by 2002:a05:6358:9105:b0:170:f329:74bb with SMTP id q5-20020a056358910500b00170f32974bbmr6896407rwq.44.1705322811751; Mon, 15 Jan 2024 04:46:51 -0800 (PST)
Received: from ?IPv6:::1? ([2406:5900:1038:12bf:ccb5:679e:57f8:1588]) by smtp.gmail.com with ESMTPSA id z3-20020aa79903000000b006da3b35bef3sm7468250pff.54.2024.01.15.04.46.50 for <acme@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 15 Jan 2024 04:46:51 -0800 (PST)
Date: Mon, 15 Jan 2024 21:46:47 +0900
From: Seo Suchan <tjtncks@gmail.com>
To: acme@ietf.org
User-Agent: K-9 Mail for Android
In-Reply-To: <CAChr6SzKxz+-E45YmGsQZVz9Vy377quBKMNXiAwfEKDJWgxgFA@mail.gmail.com>
References: <CAChr6SypX6PN_00OQUzRbtyXeQYsuVeZeRjg9Xosk8uRTkzr2Q@mail.gmail.com> <CAEmnErfE=-HMKkf4MHUfYCLam0baWA+QnAA7tg_tREtPFvRhdQ@mail.gmail.com> <CAChr6SzGo-4RZ0TwfqcJhy4FzL53LmsWHpe9EmN5eN_GDhdLzw@mail.gmail.com> <CAOG=JU+YFE826M7aW_KJRXNw639QjvVgH4WryPJ++Xq+BGS+Uw@mail.gmail.com> <CAChr6Syg80PWYDBDA872gyUkPoVKWvr2zsRmOUs16mGawQPa6g@mail.gmail.com> <CAGgd1Oc2=yXQvw+0sLZ+q5FKeg8N7_jxC-MdjaV9pjsmCNaEow@mail.gmail.com> <CAChr6SwAYSn4eEVvnce7XR18G8KPixFG_BbHRKzSKMrkEv4Nig@mail.gmail.com> <CAEmnErdY9umopZBBy4i6-2WcZotkopKquDPTRfaTCnURL49t=w@mail.gmail.com> <CAChr6Swap48ZkNRxxkdqQ_2YSgDzg4CG-dJGdJUiA05GYzBOMw@mail.gmail.com> <CAGgd1Oc7Mb9FKZWxFFB3bYwR+b7g09u6bcGk6oVDQgPm6Fqg+A@mail.gmail.com> <CAChr6SzKxz+-E45YmGsQZVz9Vy377quBKMNXiAwfEKDJWgxgFA@mail.gmail.com>
Message-ID: <E167F937-C13F-4F1D-B0B0-518E3861B8FD@gmail.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----9NCJLRJN90VOP1OO62MYSM57LK7M2C"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/sSUT3vNRBFpdOPYfS_qH0lwQVc8>
Subject: Re: [Acme] [Errata Held for Document Update] RFC8555 (6843)
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Jan 2024 12:46:56 -0000

https://dl.acm.org/doi/10.1145/2736277.2741089
Think this is the attack rfc mentions
Anyway as we can't use certificate for trust for https in validation context https does no better job than http

On 2024년 1월 15일 오후 9시 41분 41초 GMT+09:00, Rob Sayre <sayrer@gmail.com> 작성함:
>On Mon, Jan 15, 2024 at 3:42 AM Deb Cooley <debcooley1@gmail.com> wrote:
>
>>   Items being brought up for discussion need to have specific and concrete
>> examples within scope.
>>
>
>I think the issue is that the spec is not specific or concrete:
>
>"Because many web servers
>allocate a default HTTPS virtual host to a particular low-privilege
>tenant user in a subtle and non-intuitive manner, the challenge must
>be completed over HTTP, not HTTPS."
>
>That sentence is very vague, and also seems to preclude HSTS as specified
>in RFC 6797.*
>
>I can understand that HTTP (rather than HTTPS) might need to be used
>sometimes, but requiring it seems to conflict with HSTS, and enable the
>exact attack HSTS aims to address. The erratum suggests a redirect, but
>HSTS also aims to avoid that. At first, I thought there might be a
>bootstrapping problem. But, if that were the case, the redirect in the
>erratum wouldn't work either.
>
>thanks,
>Rob
>
>* https://datatracker.ietf.org/doc/html/rfc6797

v2.23.0 | Report a Bug | By Email