Re: [Acme] ACME draft is now in WGLC.

Viktor Dukhovni <ietf-dane@dukhovni.org> Tue, 14 March 2017 05:13 UTC

Date: Tue, 14 Mar 2017 05:13:10 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: acme@ietf.org
Message-ID: <20170314051309.GR7733@mournblade.imrryr.org>
References: <8473d9ba84894d49b2f2232370d66b46@usma1ex-dag1mb3.msg.corp.akamai.com> <20170307031510.GN7733@mournblade.imrryr.org> <20170307032023.GO7733@mournblade.imrryr.org> <9471a5323a98405eaf0ee111fb0350b0@usma1ex-dag1mb3.msg.corp.akamai.com> <20170313201410.GG4095@mournblade.imrryr.org> <3b319b98-64f2-5ed9-fa2e-460c574459d1@eff.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <3b319b98-64f2-5ed9-fa2e-460c574459d1@eff.org>
User-Agent: Mutt/1.7.2 (2016-11-26)
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/4DrldzAf_mFCGkuR9UV5isgl4fM>
Subject: Re: [Acme] ACME draft is now in WGLC.
Precedence: list
Reply-To: acme@ietf.org

On Mon, Mar 13, 2017 at 02:00:40PM -0700, Jacob Hoffman-Andrews wrote:

> > by CA/B forum as a "recommendation", which meant that the constraint
> > was meaningless.  Rumour has it that CAA will soon be a requirement,
> > so I've now published CAA records.  The CAA check is/was easy to
> > make and crippling it by not making it a requirement was IMNSHO a
> > mistake.
>
> I think by this you mean that the CA/Browser Forum should have mandated
> CAA support in its Baseline Requirements, back when it first adopted CAA
> as "recommended." Is that right?

Yes.

> I think the analogous goal here is that you'd like the CA/Browser Forum
> to mandate use of a DNSSEC-validating recursive resolver during
> DNS-based validation procedures.

No, dragging the CA/B forum into this discussion (by way of analogy)
was perhaps a mistake.  I am trying to say is that wiggle room to
not do DNSSEC ACME serves no purpose.  ACME should *require* DNSSEC
resolvers in *ACME conformant CAs.

> That's great! However, I don't think mandating use of a DNSSEC-validating
> resolver in the ACME spec will achieve that goal, since the CA/Browser
> Forum is not planning to mandate use of the ACME spec.

Convincing non-ACME CAs that issue DV certs do use DNSSEC for DNS
challenges is a separate issue (windmill for my Quixotic battles)
and is out of scope for this group.  So one thing at a time, I urge
the ACME WG to require DNSSEC for DNS challenges, so that security
of DNSSEC signed domains is not downgraded by ACME CAs negligently
running security-oblivious resolvers.

-- 
	Viktor.

[Acme] ACME draft is now in WGLC. Salz, Rich
Re: [Acme] ACME draft is now in WGLC. Jacob Hoffman-Andrews
Re: [Acme] ACME draft is now in WGLC. Salz, Rich
Re: [Acme] ACME draft is now in WGLC. housley
Re: [Acme] ACME draft is now in WGLC. Martin Thomson
Re: [Acme] ACME draft is now in WGLC. Anders Rundgren
Re: [Acme] ACME draft is now in WGLC. Salz, Rich
Re: [Acme] ACME draft is now in WGLC. Russ Housley
Re: [Acme] ACME draft is now in WGLC. Jacob Hoffman-Andrews
Re: [Acme] ACME draft is now in WGLC. Anders Rundgren
Re: [Acme] ACME draft is now in WGLC. Viktor Dukhovni
Re: [Acme] ACME draft is now in WGLC. Viktor Dukhovni
Re: [Acme] ACME draft is now in WGLC. Salz, Rich
Re: [Acme] ACME draft is now in WGLC. Viktor Dukhovni
Re: [Acme] ACME draft is now in WGLC. Salz, Rich
Re: [Acme] ACME draft is now in WGLC. Jacob Hoffman-Andrews
Re: [Acme] ACME draft is now in WGLC. Viktor Dukhovni
Re: [Acme] ACME draft is now in WGLC. Hugo Landau
Re: [Acme] ACME draft is now in WGLC. Richard Barnes
Re: [Acme] ACME draft is now in WGLC. Phillip Hallam-Baker
Re: [Acme] ACME draft is now in WGLC. Richard Barnes