On Sun, Jan 14, 2024 at 9:12 PM Aaron Gable <aa...@letsencrypt.org> wrote:
> On Sun, Jan 14, 2024, 10:12 Rob Sayre <say...@gmail.com> wrote: > >> On Sun, Jan 14, 2024 at 3:01 AM Deb Cooley <debcool...@gmail.com> wrote: >> >>> I had this marked as 'hold for update' (vs. 'verified'). I can't tell >>> from the discussion how you think we should be handling it. >>> >> >> The erratum says "the challenge must be initiated over HTTP, not HTTPS.", >> which is a little better than the current draft, in my opinion. >> > > To be clear, the document being discussed is not a draft, it's a full RFC > which was finalized five years ago. > That's twice now. Just stop with this stuff. Do you seriously think I don't understand IETF procedures? While you're correct that HSTS preload lists (there are multiple) are not > just for browsers, they are just for the applications and platforms that > maintain them. ACME clients do not generally run on such platforms, they > usually run on server operating systems. They are under no obligation to > use any HSTS preload list (which are not part of the HSTS spec), if there > even was an obvious list for them to use. > Your protocol is insecure. thanks, Rob
_______________________________________________ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme