IETF Logo Mail Archive

Re: [Acme] Handling non-conformant CAA property names in ACME-CAA

Tim Hollebeek <tim.hollebeek@digicert.com> Thu, 21 June 2018 12:30 UTC

Return-Path: <tim.hollebeek@digicert.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CF845130DD3 for <acme@ietfa.amsl.com>; Thu, 21 Jun 2018 05:30:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.794
X-Spam-Level:
X-Spam-Status: No, score=-2.794 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.795, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=digicert.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9ASZcQXUw_z5 for <acme@ietfa.amsl.com>; Thu, 21 Jun 2018 05:30:13 -0700 (PDT)
Received: from mail1.bemta8.messagelabs.com (mail1.bemta8.messagelabs.com [216.82.243.198]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EAE14130DD2 for <acme@ietf.org>; Thu, 21 Jun 2018 05:30:12 -0700 (PDT)
Received: from [216.82.241.100] (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256 bits)) by server-6.bemta-8.messagelabs.com id E5/67-32406-35A9B2B5; Thu, 21 Jun 2018 12:30:11 +0000
X-Brightmail-Tracker: H4sIAAAAAAAAA1WTfUgTcRjH99vdtqs8vabm00izZWCKtopqkYR Uf6wsSCuIkurMaxtt03azjIosLWsqrlJ8ISlrFUwzq0mFSDToxV6MtBcpysxVbFLam1lJdrc7 rf758fk93+/zfZ6D3xGYskKhIphcG2O10Ca1fCzeGe3OTlhVHb9eMzhD63qfqj3YEKLNqz+Aa b++Poxpj3bVoGSZrvPNB6S7Vv1SoXM6f0h1rqouuS6/uRlfKVsnM1oysnI3yQy1t55h2ccLUO 71ocuyPPRppx2NJXCqGIOBnz45f1FSpVLoqajEhctLBK1nf0ntaAwhpzTwtOV2gMOoFDj9rRX jGaNMcPNdWaAeSi0D5xffqMd3zquwI4LjRdB7Vc8jTk0D94sAklQ6+P0aYVIbgo+dHYjvHEOl Qs9AfyAdURPg+916qTApAp57TwQYqDDofnRPLnA4+Hp+ywR/OtR88Yj1qfCo7hQmcCS0nyhC/ DCg3FJ4WNghBiVAf3m5aFoBrw4MKQTTHQT7656JQhx4Sxxiw1Yodz0QJyyD4fuloicKXCXduN DcgoG9b1A0TYL8Y1fE1Do5vOoaDiQpqUwoc3nkDhRf/c/nVXM+jDqJ4FehH+cFkhoPrVVeXDC tgyPnD4kcB879wwqB4+FsbS8m8HT46niB/19XcJwE7kyhOgXKirrFzrlwsO2T/CQa50KxLGPd zlgTZs1JzLAa9QabmTaaEmZqtIlmhmVpPWOiM9jEzVnmS4h7mHslEnQVve1f4UETCak6nHTmx 69XBmdkZe400KxhozXHxLAeNIkg1EC+r+S08VZGz+RuMZq41z0iAxGkDiPVVZxMstm0mTXqBe kumk8MuY8WY4Snr4w72/hTiVuyLIwqgjzNN1B8gyHHMho38r+0o0hVKIkkEokyKJuxmo22/3U /iiCQOpTs4FOCjBbb6FQ/t5CUW2hXfhy/kI3+K6ny0Oq26IVpDXNyNLWL0540/9zhm1vSVD8x aU9qUfKHor3LuysvOs5VNBbMvjJwo0a9WxHbGNz/2W1fvd0bvC1l7RZ06HxUU868xrRp196FD E5pYRoNGybvu7Bnep/zu4tc0qtqCnGcSXy6pr29YWOM1L/g26b5LY/Dk1wx93rJpfPAF/NQjb MGemYcZmXpP48PqakqBAAA
X-Env-Sender: tim.hollebeek@digicert.com
X-Msg-Ref: server-5.tower-220.messagelabs.com!1529584210!203372753!1
X-Originating-IP: [216.32.180.112]
X-SYMC-ESS-Client-Auth: mailfrom-relay-check=pass
X-StarScan-Received:
X-StarScan-Version: 9.9.15; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 12775 invoked from network); 21 Jun 2018 12:30:10 -0000
Received: from mail-bn3nam04lp0112.outbound.protection.outlook.com (HELO NAM04-BN3-obe.outbound.protection.outlook.com) (216.32.180.112) by server-5.tower-220.messagelabs.com with AES256-SHA256 encrypted SMTP; 21 Jun 2018 12:30:10 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digicert.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=GQly9eRX9ppvw9R3TlLOe5EGrhZshvPOfhxduj2JqX8=; b=C/AwJ7iNI8QRvijoSPvD2N0FQ9E5sbAxNGKRsVXebijbZisxElv1R5t263wjPJHCX7hjndiqnlIrdeAPhHPTa4qogYLyjhPQnDENByIKDHPW0P41tjSuJ+jr42RJmR1C5OTVGbletC9o4Mi2nX54DT8G/Ic7Xf1cFrIaEFrkzM0=
Received: from BN6PR14MB1106.namprd14.prod.outlook.com (10.173.161.15) by BN6PR14MB1747.namprd14.prod.outlook.com (10.171.177.10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.884.19; Thu, 21 Jun 2018 12:30:09 +0000
Received: from BN6PR14MB1106.namprd14.prod.outlook.com ([fe80::b914:e52:554d:c7bb]) by BN6PR14MB1106.namprd14.prod.outlook.com ([fe80::b914:e52:554d:c7bb%7]) with mapi id 15.20.0884.010; Thu, 21 Jun 2018 12:30:09 +0000
From: Tim Hollebeek <tim.hollebeek@digicert.com>
To: Ivan Ristic <ivan.ristic@gmail.com>, Ryan Sleevi <ryan-ietf@sleevi.com>
CC: IETF ACME <acme@ietf.org>, Hugo Landau <hlandau@devever.net>, Roland Shoemaker <roland@letsencrypt.org>
Thread-Topic: [Acme] Handling non-conformant CAA property names in ACME-CAA
Thread-Index: AQHUCNfrKq69TQJSLUy0UT0D+FH8i6RpqK8AgACr+ACAAE64sA==
Date: Thu, 21 Jun 2018 12:30:08 +0000
Message-ID: <BN6PR14MB11064F83C5CD3F2DCC1EC76483760@BN6PR14MB1106.namprd14.prod.outlook.com>
References: <DC2B6BEA-713F-468E-A374-97C3A01CFEAF@letsencrypt.org> <CAErg=HEHGhADKr460195-M5L8VeKBT0Hj1LiwmoZbhTNqjpYvw@mail.gmail.com> <CANHgQ8Fb7GqSBt+ptTTPOLoGe1jph_8kFm2CqT=6NgcdVFsViw@mail.gmail.com>
In-Reply-To: <CANHgQ8Fb7GqSBt+ptTTPOLoGe1jph_8kFm2CqT=6NgcdVFsViw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [209.181.220.252]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; BN6PR14MB1747; 7:qsyFo4bMUHeEz9vO3g4/RDATjOIxMHDjMSOKJ+tf+LCfPel/Ui/PG7xloh/ZNBjpybcrxnR6q7T6YxSach2r/7PQqEns4JhngHMS+S8HjWJAJc+sphQGjQdD1Qv91sz+d8cGmaUsqTxNnosBisQxlSJao8ZXtEYGU9ILMyS2VuDDu4CIYouyyDuaIXrohzM9fK4lpwFFGKheVoU3PZSVldvVQEVgUy6YZLb9nv84fcFspB8S8x6/5SZ2LfhRfS6e
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: d9b7b245-94f2-4a36-215c-08d5d772ba0d
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(4534165)(4627221)(201703031133081)(201702281549075)(5600026)(711020)(2017052603328)(7153060)(49563074)(7193020); SRVR:BN6PR14MB1747;
x-ms-traffictypediagnostic: BN6PR14MB1747:
x-microsoft-antispam-prvs: <BN6PR14MB1747CD7A3451C822835119BC83760@BN6PR14MB1747.namprd14.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(28532068793085)(21748063052155);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(102415395)(6040522)(2401047)(5005006)(8121501046)(93006095)(93001095)(3231254)(944501410)(52105095)(3002001)(10201501046)(149027)(150027)(6041310)(20161123558120)(20161123564045)(20161123562045)(20161123560045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(6072148)(201708071742011)(7699016); SRVR:BN6PR14MB1747; BCL:0; PCL:0; RULEID:; SRVR:BN6PR14MB1747;
x-forefront-prvs: 07106EF9B9
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39860400002)(376002)(39380400002)(366004)(346002)(396003)(199004)(189003)(966005)(44832011)(5250100002)(106356001)(59450400001)(86362001)(8936002)(3280700002)(3660700001)(316002)(5660300001)(2906002)(110136005)(7736002)(478600001)(53936002)(74316002)(606006)(229853002)(6436002)(68736007)(14454004)(105586002)(97736004)(55016002)(54906003)(3846002)(99936001)(6116002)(6306002)(54896002)(790700001)(102836004)(39060400002)(236005)(186003)(476003)(33656002)(66066001)(6246003)(25786009)(8676002)(26005)(2900100001)(7696005)(81156014)(76176011)(81166006)(11346002)(4326008)(6506007)(9686003)(53546011)(446003)(486006)(99286004); DIR:OUT; SFP:1102; SCL:1; SRVR:BN6PR14MB1747; H:BN6PR14MB1106.namprd14.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: digicert.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: vhC5DoYrUUaTmppPljJ+4grOr8rnQngYsLGZGo4n8fAI6ciBYtriXQ3Lfn0NeSaTKMzm7kzLT5SI7BvEawSc6AQzkVlWLAkk8weZiqkCocuOwVaxoHADr9lAaRneGcQV7T+uPd8CWVQLuvzp5aRn0+HSHSuSTIjKfpnaLNxzovsXVerg4tZcUMnR7BCi3CD295I2L81PGpoULYZi3g/JPKUdQKWkqs++0ds1/ZOrXRGYuzDNXvVvRDO3i7EOXmofN0q2X+TNkqfLJumIIOavAuhtL8E7RQuF26MBJbycqBIUneuctKmMcPDaDH/aFmKnlw/mnKwSqbq8w7jJOB4QAw==
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="2.16.840.1.101.3.4.2.1"; boundary="----=_NextPart_000_083E_01D4093A.0DA976F0"
MIME-Version: 1.0
X-OriginatorOrg: digicert.com
X-MS-Exchange-CrossTenant-Network-Message-Id: d9b7b245-94f2-4a36-215c-08d5d772ba0d
X-MS-Exchange-CrossTenant-originalarrivaltime: 21 Jun 2018 12:30:08.9521 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: cf813fa1-bde5-4e75-9479-f6aaa8b1f284
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR14MB1747
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/8iooZFWWC5ZWP-9kVI0_ap0Gk6k>
Subject: Re: [Acme] Handling non-conformant CAA property names in ACME-CAA
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Jun 2018 12:30:16 -0000

The current ABNF in 6844 is basically broken, and doesn’t express what it was intended to express.  I remember staring at it with Corey and wondering how it got approved …

 

So while I’m not particularly picky on the exact bureaucratic details of how a fix gets made, it would be nice to get this resolved quickly via an errata or whatever.  There are a bunch of reasonable extensions to CAA that could be made in the future, and a solid and agreed-upon grammar is a necessary prerequisite.

 

Another option (at least for uses on the Web PKI) is clarification by CABF ballot.  Despite all the downsides of CABF, it does have the ability to move pretty quickly when it needs to.

 

-Tim

 

From: Acme [mailto:acme-bounces@ietf.org] On Behalf Of Ivan Ristic
Sent: Thursday, June 21, 2018 3:41 AM
To: Ryan Sleevi <ryan-ietf@sleevi.com>
Cc: IETF ACME <acme@ietf.org>; Hugo Landau <hlandau@devever.net>; Roland Shoemaker <roland@letsencrypt.org>
Subject: Re: [Acme] Handling non-conformant CAA property names in ACME-CAA

 

Just to add to this, those CAs whose CAA processing follows the current spec will likely see all CAA policies with ACME-CAA extensions as invalid, potentially leading to operational issues. It's going to be the same with tools that inspect and validate CAA (e.g., our tool, Hardenize).

 

On Wed, Jun 20, 2018 at 10:25 PM, Ryan Sleevi <ryan-ietf@sleevi.com <mailto:ryan-ietf@sleevi.com> > wrote:

On Wed, Jun 20, 2018 at 4:47 PM, Roland Shoemaker <roland@letsencrypt.org <mailto:roland@letsencrypt.org> > wrote:

As previously discussed on the list the two property names defined in draft-ietf-acme-caa, "validation-methods” and "account-uri”, do not conform to the ABNF syntax in RFC 6844 as they contain hyphens. 6844-bis fixes this by expanding the ABNF to be less restrictive but for now this doesn’t really address the problem at hand.

Given it is probably unlikely that 6844-bis will be standardized any time soon is there any plan to make changes to draft-ietf-acme-caa to address this in the short term? Given we are not yet at the point where there is wide deployment/adoption of this feature can we take the easy route and simply remove the hyphens so that the document at least complies with the existing CAA document?

 

It is not just that -bis would need to be finalized and standardized, but that CAs would also have to adopt and recognize the syntax in -bis, updating their 6844 implementations. Even if -bis were final tomorrow, that would still take considerable time, given the normative differences, and so I think aligning on an inter-operable expression is certainly preferable, allowing it to work with both 6844 and -bis.


_______________________________________________
Acme mailing list
Acme@ietf.org <mailto:Acme@ietf.org> 
https://www.ietf.org/mailman/listinfo/acme





 

-- 

Ivan

v2.23.0 | Report a Bug | By Email