IETF Logo Mail Archive

Re: [Acme] Barry Leiba's Discuss on draft-ietf-acme-caa-07: (with DISCUSS and COMMENT)

Barry Leiba <barryleiba@computer.org> Thu, 30 May 2019 19:22 UTC

Return-Path: <barryleiba@gmail.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DCF00120072; Thu, 30 May 2019 12:22:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.115
X-Spam-Level:
X-Spam-Status: No, score=-2.115 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.198, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.415, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TJHtdbU5je2l; Thu, 30 May 2019 12:22:38 -0700 (PDT)
Received: from mail-it1-f194.google.com (mail-it1-f194.google.com [209.85.166.194]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9A90712004D; Thu, 30 May 2019 12:22:38 -0700 (PDT)
Received: by mail-it1-f194.google.com with SMTP id h20so11811972itk.4; Thu, 30 May 2019 12:22:38 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=5PdwQTF6rgnnash/+bheCIDVXW+tNzw295a1AIGRt54=; b=kGwtIYK6+quuQAr8Y8u6aU8GuC3yrRC6BNofxrlJKznTtF1Adx9KL3LFh9T97bX+uE d/+HEIH6DyuylTYB/XybfLEpsmtSn12HhVDsDIRJMRCY15NRmkDz0Yl8wQj26QDoyAJv o8JbcgZDGBMgJ7oPT87v9fxzK6av2PLufieWFIlagiQEwHOTBcMo/rEHmfnKrRc5e3Jd O78aPF1JPk4VXr2xNDLuXVdgrujeUPetVetgaMMB6E8Y4RC1gzZaNltPhEKrrZwn2VJI 4i6SpmXL+Kfz5f/WuYJOAoUWN5PBo6na/hmanWX2hpAKPkB4E1KtLcENNRJqB9/iZ2RS /0Ag==
X-Gm-Message-State: APjAAAUD2dOtr2XAzafLlFKeldc3jf4Em4TLGXB3lLizNXUtMjM4HlfK 2A4bAz7DFMJdtFPOk3gSKg7dIIuCciOOvr5u9ag=
X-Google-Smtp-Source: APXvYqyVB4zlyipe4dUOXLBTS4SzNv24noGreD3KJa13GSEDGzn2ZQlliSNBPNfmrWoRFUjwxjm+dugR52YMQQ5jO8U=
X-Received: by 2002:a24:4d87:: with SMTP id l129mr4066670itb.80.1559244157370; Thu, 30 May 2019 12:22:37 -0700 (PDT)
MIME-Version: 1.0
References: <155888292737.18381.13153334659362661935.idtracker@ietfa.amsl.com> <20190530174230.GA12694@axminster>
In-Reply-To: <20190530174230.GA12694@axminster>
From: Barry Leiba <barryleiba@computer.org>
Date: Thu, 30 May 2019 20:22:26 +0100
Message-ID: <CALaySJJ1M8Rnp4wRAn3xgfV3JM5vDDBU6MAhRpikHNSPgvZmSQ@mail.gmail.com>
To: Hugo Landau <hlandau@devever.net>
Cc: The IESG <iesg@ietf.org>, draft-ietf-acme-caa@ietf.org, Daniel McCarney <cpu@letsencrypt.org>, acme-chairs@ietf.org, acme@ietf.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/DmsO7uKkia-M9GGlrwz-lZi2Hyw>
Subject: Re: [Acme] Barry Leiba's Discuss on draft-ietf-acme-caa-07: (with DISCUSS and COMMENT)
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 May 2019 19:22:41 -0000

Thanks, Hugo; this is all good, and thanks for the response.  I'll
clear the DISCUSS, though I still would like to discuss the "ca-"
thing a little more.  But the main point is that the BCP was known and
considered, and the working group made an informed choice.

> > — Section 4 —
> >
> >    If appropriate non-ACME identifiers are not present in the
> >    ACME Validation Methods IANA registry, the CA MUST use identifiers
> >    beginning with the string "ca-", which are defined to have CA-
> >    specific meaning.
> >
> > Was the working group aware of BCP 178 (RFC 6648), and did they consider the
> > “ca-“ prefix in that context?  If so, how does the working group propose to
> > avoid the problems outlined by BCP 178?
>
> Yes.
>
> All of these identifiers are already scoped to a specific CA via a
> domain name, due to the nature of the CAA specification. The CAA
> specification also provides that parameters in general are a CA-specific
> namespace.
>
> The core complaint of RFC 6648 is that nonstandard values tend to
> graduate to being standard values, and at that point need to be renamed.
>
> Because "ca-" methods are CA-specific and unrelated to ACME, it is
> essentially necessary that they be configured in relation to, and in
> knowledge of, a specific CA and its issuance and validation practices.
> In this regard it is not the same concept as an X- prefix, which defines
> nonstandard parameters in the vague hope that such parameters will be
> adopted by numerous implementations and entities across the net. This is
> a permanent reservation for CA-specific meaning and there is no
> expectation that one CA's "ca-foo" method is the same as another CA's
> "ca-foo" method.

This all makes sense.  Would it be reasonable to recommend not just
"ca-", but "ca-<caidentifier>-"?  Experience has shown that if "flarb"
is a common thing among CAs (or whatever) and Verisign implements a
"ca-flarb", that will tend to leak and become an unregistered
standard... but that's far less likely to happen if it's
"ca-verisign-flarb".  I'm not suggesting any formalization nor
registry for the <caidentifier> part, but just the fact that it's
included tends to get us away from the problem that BCP 178 is
addressing.

Again, this is no longer at DISCUSS level, and if the working group
thinks this isn't a good idea, go ahead as planned.  But please chew
it over a bit and see if you can swallow it.

> > — Section 6 —
> > I have no idea what you’re trying to say here.  This is a Proposed Standard,
> > right?  It defines two new parameters.  Are you now trying to say that we have
> > not really defined anything?  I don’t understand.
>
> The CAA specification allows parameters to be attached to CAA
> properties, but this is a CA-specific namespace. Per CAA, there is no
> IANA registry for CAA parameters, and a CA is not required to give the
> meaning given in this I-D to "accounturi" or "validationmethods"
> parameters, unless it chooses to implement this RFC. See "Restrictions
> Ineffective without CA Recognition".

OK; no longer a DISCUSS, and no need for further response, but if you
can re-word that to explain the situation a bit better, that'd be
great.

Thanks again,
Barry

v2.23.0 | Report a Bug | By Email