Clarify HTTP validation requirements #374
Labels
Comments
|
Are you suggesting that if I put a self-signed certificate on my domain example.com, that validation should fail because the certificate is not valid? What is the point of that, since HTTP validation is allowed and would succeed? I support explicitly defining the requirements (for clarity), but couldn't they be as simple as "you can ignore HSTS and certificate validity for HTTPS" ? |
Yes, I think so, but I've been around this group long enough that I'm not going to assume it's that simple. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The two HTTP validation methods (.6 and .19) do not specify requirements for honoring HSTS and, when validation is performed over HTTPS, validating the certificate. I propose that we explicitly define these requirements. I think it is common practice for CAs not to honor HSTS or validate certs when performing domain name validation.
The text was updated successfully, but these errors were encountered: