Re: [Acme] ACME draft is now in WGLC.
Phillip Hallam-Baker <phill@hallambaker.com> Sat, 18 March 2017 17:08 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1DD07128990 for <acme@ietfa.amsl.com>; Sat, 18 Mar 2017 10:08:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.701
X-Spam-Level:
X-Spam-Status: No, score=-1.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.197, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LWozvIsmjgq6 for <acme@ietfa.amsl.com>; Sat, 18 Mar 2017 10:08:22 -0700 (PDT)
Received: from mail-ot0-x235.google.com (mail-ot0-x235.google.com [IPv6:2607:f8b0:4003:c0f::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4618512896F for <acme@ietf.org>; Sat, 18 Mar 2017 10:08:22 -0700 (PDT)
Received: by mail-ot0-x235.google.com with SMTP id a12so42917555ota.0 for <acme@ietf.org>; Sat, 18 Mar 2017 10:08:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=uDDL3uszJT7oTsSbN3391Ou60AExx7HdApQX+EDimeo=; b=TkZNtzgr95swhbZuuKj8kcPF6LsEqrEQbCxHb+ThoH7ifG19zIKsA2uqKW4DIJuP6q WdUDmA/sT/Ut5gkuq+9bc2ptEgyb2tU3BTGPqN7GMeKJijNcNFHPwo1BsR6OYc8RKHDb yMBJJ9wOlIe+YTR4YwWq1Z99lVYqI7Kb4SHsclwnEuLegnixWh5D3NaEgiP99EpeqN2n SIZk1DTPCdma6Kp6skLqcAvYK6NpI2K8AnVON+pGmFtlgDT1+3gIz6UZKl3vevVAgX6x FEJzOMmiAGa6BV9fJwhCgABzf1INrHFMdHYHHZomouZBZW59QX7QdET7fk583y6dVc+t DJuw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=uDDL3uszJT7oTsSbN3391Ou60AExx7HdApQX+EDimeo=; b=XKo8x3SpOyUew9EumPv8smOmwux6yCSBAmI4ovLaXu+izZuDixlg5VvJe6rnAsy5ZT VAr328+8aFihPzGrPrmcTcl8DN+rNMBpC6LItWD41N0h15N10BuofE94fyt8P6+qAQkC KvDCk5CXZiZbR4bmrnfLq53kkrRyT/tIUUr2byAaIvlKaWNlAmD+P3sHv+KrFfVqnHwy Z1ESat86IYdTwxHeGzegk/uSCZub1ixcWUWDCtYgxjbA2JRymykXIjU2/t59iIfUrST6 tWD9OlDeldn50+AfnVhc3QreNPwITJseQRaQEJlUqjRrwQ75H/gMYdZKyGp5PqD6CJkm hHtA==
X-Gm-Message-State: AFeK/H0jcCmN88eVhcp+8gfaLLK0vqHKm66BOGUtSzerV5UdAV3QuXYYVzxc4qprA/2Rhs2MummxIz7ienMJwg==
X-Received: by 10.157.4.141 with SMTP id 13mr12106061otm.243.1489856901710; Sat, 18 Mar 2017 10:08:21 -0700 (PDT)
MIME-Version: 1.0
Sender: hallam@gmail.com
Received: by 10.157.14.123 with HTTP; Sat, 18 Mar 2017 10:08:21 -0700 (PDT)
In-Reply-To: <CAL02cgQW5434JjEvZzBp_X1+ViuiK5A2gd_Az7rw6H4DifyjZA@mail.gmail.com>
References: <8473d9ba84894d49b2f2232370d66b46@usma1ex-dag1mb3.msg.corp.akamai.com> <20170307031510.GN7733@mournblade.imrryr.org> <20170307032023.GO7733@mournblade.imrryr.org> <9471a5323a98405eaf0ee111fb0350b0@usma1ex-dag1mb3.msg.corp.akamai.com> <20170313201410.GG4095@mournblade.imrryr.org> <12461433fb264865972e9ddafab1c511@usma1ex-dag1mb1.msg.corp.akamai.com> <20170314162425.GA13868@andover.lhh.devever.net> <CAL02cgQW5434JjEvZzBp_X1+ViuiK5A2gd_Az7rw6H4DifyjZA@mail.gmail.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
Date: Sat, 18 Mar 2017 13:08:21 -0400
X-Google-Sender-Auth: BzOZyWRXzkiQKotpo9XOo3H0ONg
Message-ID: <CAMm+LwhOwo-fMh9hhAKzL6gVetEm1mVHxvih4q3WpVDM6D9TkQ@mail.gmail.com>
To: Richard Barnes <rlb@ipv.sx>
Cc: Hugo Landau <hlandau@devever.net>, "Salz, Rich" <rsalz@akamai.com>, "acme@ietf.org" <acme@ietf.org>
Content-Type: multipart/alternative; boundary="94eb2c0956806487de054b04578d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/2C-y99RTyVPEi6lSMImiFCOhNKM>
Subject: Re: [Acme] ACME draft is now in WGLC.
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 18 Mar 2017 17:08:24 -0000
On Tue, Mar 14, 2017 at 2:24 PM, Richard Barnes <rlb@ipv.sx> wrote: > > > On Tue, Mar 14, 2017 at 12:24 PM, Hugo Landau <hlandau@devever.net> wrote: > >> > > The CAA check is/was easy to make and crippling it >> > > by not making it a requirement was IMNSHO a mistake. >> > ... >> > > I urge the WG to reconsider. >> > >> > Does anyone else agree with Viktor? Please speak up on the list this >> week if so. >> >> I'd agree that the CAA check should be made mandatory. At least, I can't >> think of any good reason why it shouldn't be. >> > > I very strongly disagree. What checks the CA does before issuing is up to > the CA's policy. This document provides tools for CAs to do those checks; > it does not constrain what CAs do. > > > >> I'd also agree that the use of a DNSSEC-validating resolver accessed via >> a trusted network (preferably localhost) should be mandatory. >> > > Likewise. > > > --Richard > If that were so, why does ACME have any support for DNS validation? It is merely CA policy after all. The point of CAA is that it is the one mechanism that is provided to allow domain owners to signal to third parties what parties they authorize to issue certs. In my view CAA should be mandatory for the reasons above. The other reason for making CAA mandatory is that if we are going to fully automate the issue process, we might well want to use information in the CAA records to facilitate that. That was the reason I thought Paul Hoffman's idea of using the DNS name rather than a policy oid or some PKIX identifier was the right approach.
- [Acme] ACME draft is now in WGLC. Salz, Rich
- Re: [Acme] ACME draft is now in WGLC. Jacob Hoffman-Andrews
- Re: [Acme] ACME draft is now in WGLC. Salz, Rich
- Re: [Acme] ACME draft is now in WGLC. housley
- Re: [Acme] ACME draft is now in WGLC. Martin Thomson
- Re: [Acme] ACME draft is now in WGLC. Anders Rundgren
- Re: [Acme] ACME draft is now in WGLC. Salz, Rich
- Re: [Acme] ACME draft is now in WGLC. Russ Housley
- Re: [Acme] ACME draft is now in WGLC. Jacob Hoffman-Andrews
- Re: [Acme] ACME draft is now in WGLC. Anders Rundgren
- Re: [Acme] ACME draft is now in WGLC. Viktor Dukhovni
- Re: [Acme] ACME draft is now in WGLC. Viktor Dukhovni
- Re: [Acme] ACME draft is now in WGLC. Salz, Rich
- Re: [Acme] ACME draft is now in WGLC. Viktor Dukhovni
- Re: [Acme] ACME draft is now in WGLC. Salz, Rich
- Re: [Acme] ACME draft is now in WGLC. Jacob Hoffman-Andrews
- Re: [Acme] ACME draft is now in WGLC. Viktor Dukhovni
- Re: [Acme] ACME draft is now in WGLC. Hugo Landau
- Re: [Acme] ACME draft is now in WGLC. Richard Barnes
- Re: [Acme] ACME draft is now in WGLC. Phillip Hallam-Baker
- Re: [Acme] ACME draft is now in WGLC. Richard Barnes