The following errata report has been held for document update for RFC8555, "Automatic Certificate Management Environment (ACME)".
-------------------------------------- You may review the report below and at: https://www.rfc-editor.org/errata/eid6843 -------------------------------------- Status: Held for Document Update Type: Technical Reported by: James Kasten <jdkas...@umich.edu> Date Reported: 2022-02-08 Held by: Roman Danyliw (IESG) Section: 8.3 Original Text ------------- Because many web servers allocate a default HTTPS virtual host to a particular low-privilege tenant user in a subtle and non-intuitive manner, the challenge must be completed over HTTP, not HTTPS. Corrected Text -------------- Because many web servers allocate a default HTTPS virtual host to a particular low-privilege tenant user in a subtle and non-intuitive manner, the challenge must be initiated over HTTP, not HTTPS. Notes ----- Completing the entire http-01 challenge over HTTP is unnecessary. The threat of default HTTPS virtual hosts is remediated by "initiating" the http-01 challenge over HTTP. Validation servers which redirect from HTTP to HTTPS should be permitted following the rest of the guidance within Section 10, Security Considerations. -------------------------------------- RFC8555 (draft-ietf-acme-acme-18) -------------------------------------- Title : Automatic Certificate Management Environment (ACME) Publication Date : March 2019 Author(s) : R. Barnes, J. Hoffman-Andrews, D. McCarney, J. Kasten Category : PROPOSED STANDARD Source : Automated Certificate Management Environment Area : Security Stream : IETF Verifying Party : IESG _______________________________________________ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme
