Given the discussion and lack of consensus it is clear to me that 'hold for update' is the right call for this errata.
In addition, we need to keep our discussions polite on this list, there will be no bullying here. Items being brought up for discussion need to have specific and concrete examples within scope. Deb ACME chair On Mon, Jan 15, 2024 at 12:54 AM Rob Sayre <[email protected]> wrote: > > > On Sun, Jan 14, 2024 at 9:12 PM Aaron Gable <[email protected]> wrote: > >> On Sun, Jan 14, 2024, 10:12 Rob Sayre <[email protected]> wrote: >> >>> On Sun, Jan 14, 2024 at 3:01 AM Deb Cooley <[email protected]> wrote: >>> >>>> I had this marked as 'hold for update' (vs. 'verified'). I can't tell >>>> from the discussion how you think we should be handling it. >>>> >>> >>> The erratum says "the challenge must be initiated over HTTP, not >>> HTTPS.", which is a little better than the current draft, in my opinion. >>> >> >> To be clear, the document being discussed is not a draft, it's a full RFC >> which was finalized five years ago. >> > > That's twice now. Just stop with this stuff. Do you seriously think I > don't understand IETF procedures? > > While you're correct that HSTS preload lists (there are multiple) are not >> just for browsers, they are just for the applications and platforms that >> maintain them. ACME clients do not generally run on such platforms, they >> usually run on server operating systems. They are under no obligation to >> use any HSTS preload list (which are not part of the HSTS spec), if there >> even was an obvious list for them to use. >> > > Your protocol is insecure. > > thanks, > Rob > >
_______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
