On Sun, Jan 14, 2024, 10:12 Rob Sayre <[email protected]> wrote: > On Sun, Jan 14, 2024 at 3:01 AM Deb Cooley <[email protected]> wrote: > >> I had this marked as 'hold for update' (vs. 'verified'). I can't tell >> from the discussion how you think we should be handling it. >> > > The erratum says "the challenge must be initiated over HTTP, not HTTPS.", > which is a little better than the current draft, in my opinion. >
To be clear, the document being discussed is not a draft, it's a full RFC which was finalized five years ago. > But there are TLDs (.app, .dev, .bank, etc) that are not supposed to be > contacted over clear text HTTP at all. There is also the HSTS preload list > for certain domains (this is a big list...). > Many .dev domain successfully get certificates via ACME, including via the HTTP-01 challenge method being discussed here. They can be contacted via port 80 just fine, just not by mainstream browsers. > Others have said this list is just for browsers, but that is not the case. > For example, the default networking stack on Apple operating systems > enforces HSTS policies. > While you're correct that HSTS preload lists (there are multiple) are not just for browsers, they are just for the applications and platforms that maintain them. ACME clients do not generally run on such platforms, they usually run on server operating systems. They are under no obligation to use any HSTS preload list (which are not part of the HSTS spec), if there even was an obvious list for them to use. > So, my point is that the entire sentence might be wrong, and could need > more than a slight adjustment. > > thanks, > Rob > > > _______________________________________________ > Acme mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/acme >
_______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
