Re: [Acme] Handling non-conformant CAA property names in ACME-CAA
Jacob Hoffman-Andrews <jsha@eff.org> Tue, 10 July 2018 00:57 UTC
Return-Path: <jsha@eff.org>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D9946127148 for <acme@ietfa.amsl.com>; Mon, 9 Jul 2018 17:57:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.01
X-Spam-Level:
X-Spam-Status: No, score=-7.01 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=eff.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VcurQQXF_yDF for <acme@ietfa.amsl.com>; Mon, 9 Jul 2018 17:57:04 -0700 (PDT)
Received: from mail2.eff.org (mail2.eff.org [173.239.79.204]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3817F130EB0 for <acme@ietf.org>; Mon, 9 Jul 2018 17:57:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=eff.org; s=mail2; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:MIME-Version: Date:Message-ID:From:References:Cc:To:Subject:Sender:Reply-To:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=BEhkL8E4uB/mUhbuYJPXoD3W/scVOLlLjPA8m7VQj6c=; b=My2Qq3kxONBortAL2Smc++MScz r+3SY9zP1u1pxygFAslWORCGdKyWqqFE+VcJURzFSDgwkSC+VUP+a5Y4Ay8icPh06VbvC5alxubyV UBT9tBypxZnTdRMtcIWw+v0ZhkyOYzpar4EuHEvidmwJ0nj26tEkMHfrModuigzV3DD8=;
Received: ; Mon, 09 Jul 2018 17:57:01 -0700
To: Roland Shoemaker <roland@letsencrypt.org>, acme@ietf.org
Cc: Hugo Landau <hlandau@devever.net>
References: <DC2B6BEA-713F-468E-A374-97C3A01CFEAF@letsencrypt.org>
From: Jacob Hoffman-Andrews <jsha@eff.org>
Message-ID: <63753ab2-2b4b-ec15-f357-373b7e681aab@eff.org>
Date: Mon, 09 Jul 2018 17:57:01 -0700
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.8.0
MIME-Version: 1.0
In-Reply-To: <DC2B6BEA-713F-468E-A374-97C3A01CFEAF@letsencrypt.org>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/7Wuzl7-fqbMR_04jQNawQqEF17E>
Subject: Re: [Acme] Handling non-conformant CAA property names in ACME-CAA
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Jul 2018 00:57:06 -0000
There's a similar issue for parameters: RFC 6844 section 3 says each name-value pair is separated by a semicolon: https://tools.ietf.org/html/rfc6844#section-3 > issue <Issuer Domain Name> [; <name>=<value> ]* : The issue property RFC 6844 section 5.2 says each name-value pair is separated by a space: https://tools.ietf.org/html/rfc6844#section-5.2 > issuevalue = space [domain] space [";" *(space parameter) space] For 6844-bis, in the LAMPS WG, we concluded that the latter was most likely an error in the ABNF, and that semicolons were preferable: https://tools.ietf.org/html/draft-ietf-lamps-rfc6844bis-00#section-5.2 > parameters = (parameter *WSP ";" *WSP parameters) / parameter ACME-CAA's examples use semicolons: https://tools.ietf.org/html/draft-ietf-acme-caa-03#appendix-A > example.com. IN CAA 0 issue "example.net; \ > account-uri=https://example.net/account/1234; \ > validation-methods=dns-01" We resolved the hyphen question on the basis of interoperability: Some DNS UIs rejected setting CAA records with hyphens in property names, so we did the simple thing and removed them. The semicolon question is not so easily solved. There is no unambiguous reading of RFC 6844, no reason to consider section 3 more normative than section 5.2 or vice versa. I have one piece of interop data: While Route53 rejected hyphens in property names, it accepts semicolons separating name-value pairs. My preference is for ACME-CAA to continue follow the RFC 6844bis interpretation. What are others' thoughts?
- Re: [Acme] Handling non-conformant CAA property n… Hugo Landau
- Re: [Acme] Handling non-conformant CAA property n… Tim Hollebeek
- Re: [Acme] Handling non-conformant CAA property n… Corey Bonnell
- Re: [Acme] Handling non-conformant CAA property n… Tim Hollebeek
- Re: [Acme] Handling non-conformant CAA property n… Jacob Hoffman-Andrews
- Re: [Acme] Handling non-conformant CAA property n… Salz, Rich
- Re: [Acme] Handling non-conformant CAA property n… Ryan Sleevi
- Re: [Acme] Handling non-conformant CAA property n… Tim Hollebeek
- Re: [Acme] Handling non-conformant CAA property n… Ivan Ristic
- Re: [Acme] Handling non-conformant CAA property n… Ryan Sleevi
- [Acme] Handling non-conformant CAA property names… Roland Shoemaker
- Re: [Acme] Handling non-conformant CAA property n… Salz, Rich
- Re: [Acme] Handling non-conformant CAA property n… Hugo Landau