https://dl.acm.org/doi/10.1145/2736277.2741089 Think this is the attack rfc mentions Anyway as we can't use certificate for trust for https in validation context https does no better job than http
On 2024년 1월 15일 오후 9시 41분 41초 GMT+09:00, Rob Sayre <[email protected]> 작성함: >On Mon, Jan 15, 2024 at 3:42 AM Deb Cooley <[email protected]> wrote: > >> Items being brought up for discussion need to have specific and concrete >> examples within scope. >> > >I think the issue is that the spec is not specific or concrete: > >"Because many web servers >allocate a default HTTPS virtual host to a particular low-privilege >tenant user in a subtle and non-intuitive manner, the challenge must >be completed over HTTP, not HTTPS." > >That sentence is very vague, and also seems to preclude HSTS as specified >in RFC 6797.* > >I can understand that HTTP (rather than HTTPS) might need to be used >sometimes, but requiring it seems to conflict with HSTS, and enable the >exact attack HSTS aims to address. The erratum suggests a redirect, but >HSTS also aims to avoid that. At first, I thought there might be a >bootstrapping problem. But, if that were the case, the redirect in the >erratum wouldn't work either. > >thanks, >Rob > >* https://datatracker.ietf.org/doc/html/rfc6797
_______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
