IETF Logo Mail Archive

Re: [Acme] Handling non-conformant CAA property names in ACME-CAA

Ryan Sleevi <ryan-ietf@sleevi.com> Thu, 21 June 2018 14:52 UTC

Return-Path: <ryan-ietf@sleevi.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1E03B130EA4 for <acme@ietfa.amsl.com>; Thu, 21 Jun 2018 07:52:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=sleevi.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oU2-vGxuNmTM for <acme@ietfa.amsl.com>; Thu, 21 Jun 2018 07:52:00 -0700 (PDT)
Received: from homiemail-a72.g.dreamhost.com (homie-sub4.mail.dreamhost.com [69.163.253.135]) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D5EBF130EA2 for <acme@ietf.org>; Thu, 21 Jun 2018 07:52:00 -0700 (PDT)
Received: from homiemail-a72.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a72.g.dreamhost.com (Postfix) with ESMTP id 276ABA004923 for <acme@ietf.org>; Thu, 21 Jun 2018 07:52:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sleevi.com; h=mime-version :in-reply-to:references:from:date:message-id:subject:to:cc :content-type; s=sleevi.com; bh=7RseSyJ0eL0wsOK+Fi3Z2UoMGJQ=; b= jvhwgU3M8BlhlxpIOsDGgqWyxvacuNJlm/ABUg4WIPYxUqxuqXCZQRmjFfKtDDjp xHrSg8kqJM7UfQKHxTpNjd+8eEPIBB9JMFjF8zcslJThc2rp5mR04VsDgoYFZwV9 UJ1ITOKxugzHnTG8qX39w47IEXbyw5QybeLSXY3vct4=
Received: from mail-io0-f174.google.com (mail-io0-f174.google.com [209.85.223.174]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: ryan@sleevi.com) by homiemail-a72.g.dreamhost.com (Postfix) with ESMTPSA id 0F629A00491D for <acme@ietf.org>; Thu, 21 Jun 2018 07:51:59 -0700 (PDT)
Received: by mail-io0-f174.google.com with SMTP id r24-v6so3230475ioh.9 for <acme@ietf.org>; Thu, 21 Jun 2018 07:51:59 -0700 (PDT)
X-Gm-Message-State: APt69E2KfdCgq99I4iUfXfNb9Dn3x0Jedd370u8xynHuo3ncMp9E01o+ 42jvAHIuBJ1K6EiVw59ua9esduSEvtVJH7GVwmY=
X-Google-Smtp-Source: ADUXVKIXceEqZmuUQwd+RYu1S+LGP2yeIfLEsOXBYhZaGy3HWjxXxL8nZEAZtjc63Ac220UeZELXqktsXOUVaBt7ePg=
X-Received: by 2002:a5e:d703:: with SMTP id v3-v6mr22373968iom.78.1529592719358; Thu, 21 Jun 2018 07:51:59 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a02:986a:0:0:0:0:0 with HTTP; Thu, 21 Jun 2018 07:51:58 -0700 (PDT)
In-Reply-To: <BN6PR14MB11064F83C5CD3F2DCC1EC76483760@BN6PR14MB1106.namprd14.prod.outlook.com>
References: <DC2B6BEA-713F-468E-A374-97C3A01CFEAF@letsencrypt.org> <CAErg=HEHGhADKr460195-M5L8VeKBT0Hj1LiwmoZbhTNqjpYvw@mail.gmail.com> <CANHgQ8Fb7GqSBt+ptTTPOLoGe1jph_8kFm2CqT=6NgcdVFsViw@mail.gmail.com> <BN6PR14MB11064F83C5CD3F2DCC1EC76483760@BN6PR14MB1106.namprd14.prod.outlook.com>
From: Ryan Sleevi <ryan-ietf@sleevi.com>
Date: Thu, 21 Jun 2018 10:51:58 -0400
X-Gmail-Original-Message-ID: <CAErg=HGab8JZ7kpqCGgE6UZdh11yEORbLXrkta7iogrXxuUGfg@mail.gmail.com>
Message-ID: <CAErg=HGab8JZ7kpqCGgE6UZdh11yEORbLXrkta7iogrXxuUGfg@mail.gmail.com>
To: Tim Hollebeek <tim.hollebeek@digicert.com>
Cc: Ivan Ristic <ivan.ristic@gmail.com>, Ryan Sleevi <ryan-ietf@sleevi.com>, IETF ACME <acme@ietf.org>, Hugo Landau <hlandau@devever.net>, Roland Shoemaker <roland@letsencrypt.org>
Content-Type: multipart/alternative; boundary="000000000000b0429b056f280eea"
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/CJodX0eauITyAx48Le6EzT8P3Zc>
Subject: Re: [Acme] Handling non-conformant CAA property names in ACME-CAA
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Jun 2018 14:52:05 -0000

On Thu, Jun 21, 2018 at 8:30 AM, Tim Hollebeek <tim.hollebeek@digicert.com>
wrote:

> The current ABNF in 6844 is basically broken, and doesn’t express what it
> was intended to express.  I remember staring at it with Corey and wondering
> how it got approved …
>

>
> So while I’m not particularly picky on the exact bureaucratic details of
> how a fix gets made, it would be nice to get this resolved quickly via an
> errata or whatever.  There are a bunch of reasonable extensions to CAA that
> could be made in the future, and a solid and agreed-upon grammar is a
> necessary prerequisite.
>
>
>
> Another option (at least for uses on the Web PKI) is clarification by CABF
> ballot.  Despite all the downsides of CABF, it does have the ability to
> move pretty quickly when it needs to.
>
>
>
> -Tim
>

I would like to focus on resolving the issues with the document, as
written, as it specifies a grammar not conformant with 6844.

I disagree with your assessments about intent, brokenness, or possible
solutions for 6844 - but those are all better for LAMPS to work out, and we
can have that reasonable debate there. I hope, though, we're in agreement
that conforming implementations of 6844 cannot and should not process these
records, and as Ivan calls out, runs real operational risk to users that
rely on them. Let's fix that, now, and worry about whether or not we can
break compatibility in a -bis document and whether it's worth it.

v2.23.0 | Report a Bug | By Email