[cabfpub] [Ext] .well-known and re-directs

Paul Hoffman paul.hoffman at icann.org
Wed Jul 19 22:47:28 MST 2017

On Jul 19, 2017, at 10:53 PM, Jacob Hoffman-Andrews <jsha at letsencrypt.org> wrote:
> I disagree with Paul's interpretation. At Let's Encrypt we have always followed HTTP redirects, and consider it an important part of validating by HTTP. Consider, for instance, a web site that redirects all "http:" URLs to "https:" URLs. If that site were required to inhibit redirects for validation requests, that would be harmful to the site's security.

Note that I said "If the BRs allow "we got the correct returned random from an unexpected URI", yes. Otherwise, probably not." I did not read the BRs, just was commenting on what is clearly one server's broken redirect.

>From the BR text you quote, it does not appear that getting the Required Website Content via an HTTP redirect is allowed. For the reasons you give above (and other common sense), it might be logical to allow getting the Required Website Content via redirect.

--Paul Hoffman

More information about the Public mailing list