On Sun, Jan 14, 2024 at 3:01 AM Deb Cooley <[email protected]> wrote:
> I had this marked as 'hold for update' (vs. 'verified'). I can't tell > from the discussion how you think we should be handling it. > The erratum says "the challenge must be initiated over HTTP, not HTTPS.", which is a little better than the current draft, in my opinion. But there are TLDs (.app, .dev, .bank, etc) that are not supposed to be contacted over clear text HTTP at all. There is also the HSTS preload list for certain domains (this is a big list...). Others have said this list is just for browsers, but that is not the case. For example, the default networking stack on Apple operating systems enforces HSTS policies. So, my point is that the entire sentence might be wrong, and could need more than a slight adjustment. thanks, Rob
_______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
