{Tourist warning here}
Peter Eckersley <[email protected]> wrote:
>> > I am OK with dropping the TLS option for "simpleHttp" validations.
>> > (We can always make SimpleHTTPS later.)
>>
>> One annoying implication with dropping the TLS option is that it makes
>> it difficult to complete the SimpleHTTP challenge when your HTTP site
>> redirects to HTTPS, as best practice dictates. You'd have to
>> special-case an exception to allow the challenge response to be served
>> over HTTP (this is annoying to do in Apache).
>>
>> This isn't a problem if the ACME server follows redirects when
>> validating the challenge. The draft doesn't currently require or
>> forbid following redirects, so implementations will probably end up
>> doing whatever their HTTP client library does by default.
> Boulder does indeed follow redirects, so that's our current plan.
So, if the verifier follows an HTTP redirect to an HTTPS site (does it even
have to be same name?), which has a (at that point) bogus certificate, and
Boulder can cope with that, when why bother having the SimpleHTTP check
method at all?
Why not just always use SimpleHTTPS?
--
Michael Richardson <[email protected]>, Sandelman Software Works
-= IPv6 IoT consulting =-
signature.asc
Description: PGP signature
_______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
