Aaron Stone wrote: > > Additionally, the requirements to first check via HTTPS, then via > HTTP, and the requirements for identical contents, are not > requirements imposed by RFC 5785 -- though 5785 allows that "a > registration ... MAY also contain additional information, ... or > protocol-specific details". A reference to that text might be useful > to remind an implementer that other well-known URIs may have different > protocol-specific requirements. You've found a very serious problem with this document. The assumption that when a Web-Server is accessible by HTTP on port 80 on some host, then a HTTPS-Server on port 443 will provide access to the same Web-Server by HTTPS is seriously flawed. In the survey here http://www.esecurityplanet.com/features/article.php/3890171/SSL-Certificates-In-Use-Today-Arent-All-Valid.htm a simple DNS scan for webservers found 92 million domain names (out of 119) to host a Web-Server on port 80. 34 (of the 92) millions had an HTTPS-Server running on port 443 as well. When performing an SSL-Handshakes on port 443 of these 34 millions (TLS client without server name indication (TLS Extension SNI)), only 3.17 percent of these Servers presented a server certificate matching the hostname used by the client to open the network connection. In essence this means the recommendation to first try HTTPS, then HTTP is going to result in ~99% failures to successfully access the correct Web-Server, and is therefore a _very_ impractical guidance for an RFC for the real world internet. Regards, -Martin _______________________________________________ Ietf mailing list Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf