On Mon, Jan 15, 2024 at 3:42 AM Deb Cooley <[email protected]> wrote:
> Items being brought up for discussion need to have specific and concrete > examples within scope. > I think the issue is that the spec is not specific or concrete: "Because many web servers allocate a default HTTPS virtual host to a particular low-privilege tenant user in a subtle and non-intuitive manner, the challenge must be completed over HTTP, not HTTPS." That sentence is very vague, and also seems to preclude HSTS as specified in RFC 6797.* I can understand that HTTP (rather than HTTPS) might need to be used sometimes, but requiring it seems to conflict with HSTS, and enable the exact attack HSTS aims to address. The erratum suggests a redirect, but HSTS also aims to avoid that. At first, I thought there might be a bootstrapping problem. But, if that were the case, the redirect in the erratum wouldn't work either. thanks, Rob * https://datatracker.ietf.org/doc/html/rfc6797
_______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
