It sounds like that's a bug or at least a discrepancy. .dev domains should never respond over HTTP. The whole point is to avoid that initial request.
thanks, Rob On Thu, Jan 11, 2024 at 7:10 PM Aaron Gable <aa...@letsencrypt.org> wrote: > This erratum changed "completed" to "initiated", so the document now > correctly allows redirects from HTTP to HTTPS. If you believe that > challenges should be able to be initiated over HTTPS as well, this erratum > is not the right place for that discussion. > > But perhaps more importantly, ACME Servers do not have an HSTS Preload > list. The idea of the preload list is an extension of HSTS implemented by > certain browsers, but other user-agents are under no obligation to respect > a preload list. > > Aaron > > On Thu, Jan 11, 2024 at 7:03 PM Rob Sayre <say...@gmail.com> wrote: > >> Hi, >> >> Is this one valid? >> >> https://www.rfc-editor.org/errata/eid6843 >> >> > the challenge must be initiated over HTTP, not HTTPS. >> >> What if the host is on a .dev domain? That should be in the HSTS preload >> list. >> >> thanks, >> Rob >> >> _______________________________________________ >> Acme mailing list >> Acme@ietf.org >> https://www.ietf.org/mailman/listinfo/acme >> >
_______________________________________________ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme
