Re: [Acme] CAA DNS RR IODEF e-mail spam && client side CAA verification
Ryan Sleevi <ryan-ietf@sleevi.com> Thu, 22 October 2020 17:05 UTC
Return-Path: <ryan.sleevi@gmail.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 42A3D3A0920 for <acme@ietfa.amsl.com>; Thu, 22 Oct 2020 10:05:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.395
X-Spam-Level:
X-Spam-Status: No, score=-1.395 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4YjHlRufGICs for <acme@ietfa.amsl.com>; Thu, 22 Oct 2020 10:05:00 -0700 (PDT)
Received: from mail-pj1-f51.google.com (mail-pj1-f51.google.com [209.85.216.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A27703A091A for <acme@ietf.org>; Thu, 22 Oct 2020 10:05:00 -0700 (PDT)
Received: by mail-pj1-f51.google.com with SMTP id g16so1375779pjv.3 for <acme@ietf.org>; Thu, 22 Oct 2020 10:05:00 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=hHXAci/sxt58aQJ/+dQYajOVsuhEFuNRzkJ2g2RqXi4=; b=M4reCma4S8XjZQLCmBXc6EIgZO3WqMdDPusVaMOv5mJFY+xALi4u46gxZIOVup6Mly JBDhj751UfoSTGIyAo7mVmwMkIpzF/WWN6YHTFFrsfqTmwbpSGrvntQApgauyYBWAAq+ v9B9d8kZAm3IAskRkt8/PRLUGs7SwUTwQLlCWgWq/WNNHVMLMAd79mnt6/jIeqe5l61M bBGL8RlmuCkV+6Omq8HjuVMbW1fYIQ+huCkALsNOUryAgLJYAkgpuY8m7Hxxc8JUmvAV mg4jiGkgTsMHhpHtK7ucCMhHahYa3sHPyRTB4etyeo2RAzsDd5uB+sP1p0qg34dr20fh rlGg==
X-Gm-Message-State: AOAM531S4Qb5PR8DeA1PxG3TzbKrTICM7TVUBkr4DyD6FrxiNaM5YwJF XQ4vNX8wHXiLe1EbAkIoU04sPVqvYm0=
X-Google-Smtp-Source: ABdhPJyhpaTkj99o4ARxF7v6EVNjFunBiV+vRAJP0mSoNvw6+GThaxdKJhsuS/B2XSA/GEC63LkUtw==
X-Received: by 2002:a17:902:204:b029:d3:9c43:3715 with SMTP id 4-20020a1709020204b02900d39c433715mr3233466plc.74.1603386299424; Thu, 22 Oct 2020 10:04:59 -0700 (PDT)
Received: from mail-pf1-f169.google.com (mail-pf1-f169.google.com. [209.85.210.169]) by smtp.gmail.com with ESMTPSA id b128sm2623228pga.80.2020.10.22.10.04.59 for <acme@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 22 Oct 2020 10:04:59 -0700 (PDT)
Received: by mail-pf1-f169.google.com with SMTP id 144so1519952pfb.4 for <acme@ietf.org>; Thu, 22 Oct 2020 10:04:59 -0700 (PDT)
X-Received: by 2002:a65:50c5:: with SMTP id s5mr2984727pgp.399.1603386299029; Thu, 22 Oct 2020 10:04:59 -0700 (PDT)
MIME-Version: 1.0
References: <fd15218159ce22d9f3f846de1b5bac498fb6116b.camel@sijanec.eu>
In-Reply-To: <fd15218159ce22d9f3f846de1b5bac498fb6116b.camel@sijanec.eu>
From: Ryan Sleevi <ryan-ietf@sleevi.com>
Date: Thu, 22 Oct 2020 13:04:48 -0400
X-Gmail-Original-Message-ID: <CAErg=HGibOhM3Ab58VrspoN=pgxTi8fHy6n+9R3izUda+29w1w@mail.gmail.com>
Message-ID: <CAErg=HGibOhM3Ab58VrspoN=pgxTi8fHy6n+9R3izUda+29w1w@mail.gmail.com>
To: Anton Luka Šijanec <anton@sijanec.eu>
Cc: acme@ietf.org
Content-Type: multipart/alternative; boundary="000000000000ca9ebb05b24576ea"
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/7Cm0RIyeDz2wZD4l3HzHT8jvZc8>
Subject: Re: [Acme] CAA DNS RR IODEF e-mail spam && client side CAA verification
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Oct 2020 17:05:02 -0000
On Thu, Oct 22, 2020 at 11:59 AM Anton Luka Šijanec <anton@sijanec.eu> wrote: > Hello! > > I hope I am addressing this e-mail to the correct mailing list. After > glancing through the CAA DNS RR specifications for allowing only > specific CAs to issue certificates for a specific domain, I saw that > the iodef field for specifying the URI for sending violations is not > verified when submitting reports to different domains. > > What I mean by this is that someone.example can specify an email > address of someone@else.example. Then someone.example issues a lot of > certificate signing requests to CAs that are not allowed for his > domain, filling someone@else.example's inbox with violation spam. > > I propose a system, such as the one used for DMARC, to allow > whitelisted cross-domain violation email delivery. > > For example, if IODEF field of caa.example specifies "mailto: > report@violation.example", CAs will before sending a report check if > the TXT record caa.example._caa.violation.example. has a value of > "CAA=v1; caa-reports=allow;" or something similar. > > If such a system is already in place, how can I make sure I am > correctly implementing it on my domain? Can someone direct me to the > specification? > > My second suggestion is that client browsers would verify certificates > by performing DNS CAA queries and validating if the certificate is okay > and optionally send violation reports. What are your thoughts? This is intentionally, and explicitly, not part of CAA. CAA is designed as an ACL on issuance; were clients to check, this would necessitate that domains continue to authorize future certificate issuance. For example, if I used CA A at Time 0, but later switched new issuance to CA B at Time 10, if clients checked at Time 11, I would be required to list both A and B as authorized; A, because it had authorized some of my existing certificates, and B, because it was authorized for new certificates. Short of replacing every unexpired, unrevoked certificate from A, I would not be able to safely and securely only authorize B going forward. Section 1 of RFC 8659 makes this unambiguous: > Relying Parties MUST NOT use CAA records as part of certificate validation.
- Re: [Acme] CAA DNS RR IODEF e-mail spam && client… Ryan Sleevi
- Re: [Acme] CAA DNS RR IODEF e-mail spam && client… Phillip Hallam-Baker