IETF Logo Mail Archive

Re: [Acme] Handling non-conformant CAA property names in ACME-CAA

Tim Hollebeek <tim.hollebeek@digicert.com> Tue, 10 July 2018 13:40 UTC

Return-Path: <tim.hollebeek@digicert.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6B0601277CC for <acme@ietfa.amsl.com>; Tue, 10 Jul 2018 06:40:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=digicert.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tv9-R3mhTnX3 for <acme@ietfa.amsl.com>; Tue, 10 Jul 2018 06:40:48 -0700 (PDT)
Received: from mail1.bemta24.messagelabs.com (mail1.bemta24.messagelabs.com [67.219.250.114]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 63A461277BB for <acme@ietf.org>; Tue, 10 Jul 2018 06:40:48 -0700 (PDT)
Received: from [67.219.250.196] (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256 bits)) by server-3.bemta.az-b.us-west-2.aws.symcld.net id FE/9A-01618-D57B44B5; Tue, 10 Jul 2018 13:40:45 +0000
X-Brightmail-Tracker: H4sIAAAAAAAAA1WTfWwLcRjH/XrX65l1TrfZY7Gh+Kdcs1rR4A+ ikXrfJPuHid30tKXtll5rL/6wSA0dVrOK1duwDM2yGGMkKpTM2xAii5ixzUI2NvOSzARz17t5 ub8+v+f7vef53pPfkZjqM5FMsoVu1uVk7GoiBn8++RLQ65uM69LqBylD6F2mobR+rKHq2RBh+ NqxB1uIm5539SFT/+d3clNNzZDMFKp6TWTga+U2Z25eYY7cWvd9COV7lxW+P3BaUYJ8S3wohs SpvRi0Xw3IhIOKKpfBkQYf5kOj+UM7gt1ho8AElQat4TsygRMoD9z0/VAIjFHTIXwsSAgcTy2 Dmi89kmc59JzpVog8D9prm5HAOO//tdMf7a+ksuGt/xIhznLBrt5wlEdT86GvuSXKiBoPg/fr ZOKsJHjRfSLKQCVA55MHhMiJ0PPml1z0Z8OxLxGproaWthJc5BR4eqIMidwog9fnPSLTMBAIY CKvhLsNdYSwCKBeIPAf/S4JGvA+Pi7xFrg48Awfqe++HZQCpUJoXycuvhzGoG14n5RiIjReqJ WEYTl4fx6W1muGylCE8KMZwX++TuRqBIMvdcHolsbBvapuXKxroGbHsELkSdDUdxQLIgXPC6D RLFanQGVZp+SYA6WPPhHViAwhQ67LZrG6HYzNTuvS0midbhatS9fTurmztEwxnav1cHQBy7lp /ljAabkix0a7Wetk3RcQf/NG8c8V1BcxR9AEUqZOVA4bjetUcbl55iIrw1k3uDx2lougiSSpB uW0y7w2zsVa2MJNNjt/fUdkIGPVCaKs5PIZB2eziNJ9lE72n6uowMgfHwMVmAp35jnZ5CSlXL BSgtXqcf5pNPIrPEUpyfFKxEdTxeazLofN/b/ei5JIpI5XpgpdYm1O9595vXwUGR9lxsnFQhQ 381dKLkEFDa+undWp9df12SZvZq22IW/xkYcFS7efLN7aOpVpvb3tUYbRlPiRNsyO+5pEfVik yXLaLI7SOZqyfsPMa2syLg/ci0vXW9soImV/VmVqecyawUz9Zu/59SUdOf6dcV23LF3NXHnOx oxTgYOlTSuKvh1a3TymeNXcjpYbd6qXfLulxjkro9NgLo75DU/Sa1UFBAAA
X-Env-Sender: tim.hollebeek@digicert.com
X-Msg-Ref: server-18.tower-344.messagelabs.com!1531230044!1122244!1
X-Originating-IP: [216.32.181.24]
X-SYMC-ESS-Client-Auth: mailfrom-relay-check=pass
X-StarScan-Received:
X-StarScan-Version: 9.9.15; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 32383 invoked from network); 10 Jul 2018 13:40:45 -0000
Received: from mail-co1nam03lp0024.outbound.protection.outlook.com (HELO NAM03-CO1-obe.outbound.protection.outlook.com) (216.32.181.24) by server-18.tower-344.messagelabs.com with AES256-GCM-SHA384 encrypted SMTP; 10 Jul 2018 13:40:45 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digicert.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=u+/faEMS6xw882/gimv64foOyX3RiewBQuTxlLJxpkI=; b=XKcRBemfz/xxVkMdiSH2gbGDcI3HZGBrKNQp+z0safYQhOTXSQZWq+0KKNaYax0gbbrr1Kq1KDzcvGlVNPsJ7L8dZNAvKz3DXZot+4jProBppSzui2tr8O3TEna8eyqWPcgUpCRfwChifqmG+YfjqYniFC6/icLZfX+PLI2/5Vk=
Received: from BN6PR14MB1106.namprd14.prod.outlook.com (10.173.161.15) by BN6PR14MB1218.namprd14.prod.outlook.com (10.173.162.15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.930.19; Tue, 10 Jul 2018 13:40:42 +0000
Received: from BN6PR14MB1106.namprd14.prod.outlook.com ([fe80::b914:e52:554d:c7bb]) by BN6PR14MB1106.namprd14.prod.outlook.com ([fe80::b914:e52:554d:c7bb%9]) with mapi id 15.20.0930.016; Tue, 10 Jul 2018 13:40:42 +0000
From: Tim Hollebeek <tim.hollebeek@digicert.com>
To: Jacob Hoffman-Andrews <jsha@eff.org>, Roland Shoemaker <roland@letsencrypt.org>, "acme@ietf.org" <acme@ietf.org>
CC: Hugo Landau <hlandau@devever.net>
Thread-Topic: [Acme] Handling non-conformant CAA property names in ACME-CAA
Thread-Index: AQHUCNfrKq69TQJSLUy0UT0D+FH8i6SHwCKAgADUXZA=
Date: Tue, 10 Jul 2018 13:40:41 +0000
Message-ID: <BN6PR14MB11062CD062A06399EC5F04E9835B0@BN6PR14MB1106.namprd14.prod.outlook.com>
References: <DC2B6BEA-713F-468E-A374-97C3A01CFEAF@letsencrypt.org> <63753ab2-2b4b-ec15-f357-373b7e681aab@eff.org>
In-Reply-To: <63753ab2-2b4b-ec15-f357-373b7e681aab@eff.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [173.71.184.143]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; BN6PR14MB1218; 7:98gWa6n2WFFCA9sQlM5nkvFjWYpr79sr7I9jnNtP00j4oqGy0NTFywzkhGRvH/q/Uq2mRH0xp3Ym+vFWAhheHTgyn+LZq/gwpT9BF1Lhsrhi9u5zwjD0566TAnyorX5xEkzQspBST2uKuyLT/T27dt8cfcEiSaHkuABlh3U+MxZAz9Uu1HjCVecslIRitpVL7PNNj2GntrDrFhjPdubZY0cWBHL/MA3qO2qEcnUZJHDZE+YobyW1GGqGAbldjQDa
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: 31a8325d-811d-4148-b2ab-08d5e66abaf5
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989117)(5600053)(711020)(4534165)(4627221)(201703031133081)(201702281549075)(8990107)(2017052603328)(7153060)(49563074)(7193020); SRVR:BN6PR14MB1218;
x-ms-traffictypediagnostic: BN6PR14MB1218:
x-microsoft-antispam-prvs: <BN6PR14MB1218981771DE663F06B69FF5835B0@BN6PR14MB1218.namprd14.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(102415395)(6040522)(2401047)(8121501046)(5005006)(3231311)(944501410)(52105095)(3002001)(10201501046)(93006095)(93001095)(149027)(150027)(6041310)(20161123558120)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123564045)(20161123562045)(20161123560045)(6072148)(201708071742011)(7699016); SRVR:BN6PR14MB1218; BCL:0; PCL:0; RULEID:; SRVR:BN6PR14MB1218;
x-forefront-prvs: 0729050452
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39860400002)(366004)(136003)(376002)(346002)(396003)(199004)(189003)(13464003)(52054003)(110136005)(478600001)(99286004)(86362001)(476003)(11346002)(446003)(186003)(14454004)(5250100002)(6246003)(316002)(99936001)(2501003)(66066001)(97736004)(4326008)(44832011)(486006)(966005)(76176011)(229853002)(106356001)(105586002)(6306002)(102836004)(26005)(9686003)(81166006)(6116002)(81156014)(53546011)(7696005)(8676002)(8936002)(3846002)(33656002)(68736007)(55016002)(5660300001)(6436002)(2900100001)(6506007)(14444005)(74316002)(7736002)(2906002)(25786009)(305945005)(53936002)(256004); DIR:OUT; SFP:1102; SCL:1; SRVR:BN6PR14MB1218; H:BN6PR14MB1106.namprd14.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: digicert.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: qz82ufSr2CUmastJhIjoTRuFDI+aWXEJu2M28uag/50KJ19KhAgqOGlZ3QpTQx/xqfgrgFehZzPZRb/BEHjNBLcgW7Mwm5CUsIJvdb0INgu2FG40NHVBrRyO8W3PdGUxb0wAss6rLufaQMpD9/Qu5tcgd8n6k2zPbSRVqCJVa3vSALigQj3OzS3FXnBqzxuKbEJ1JsSTrI+ggj6hmyHHvRVCHbf48rHjXog49ySxv+C204BzJY3e3CJUfVMU8wcoVjae96O+PvHyjSjl50lm2wdt6hmpzc7xUNxvbRH+vPalbmZwFgdqxVsfpoiT6oZ4ZkW8VXqezOVtPr/z/FsTkcc4fd1qQAhUOe0ipI27zMg=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="2.16.840.1.101.3.4.2.1"; boundary="----=_NextPart_000_0769_01D41832.0B524740"
MIME-Version: 1.0
X-OriginatorOrg: digicert.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 31a8325d-811d-4148-b2ab-08d5e66abaf5
X-MS-Exchange-CrossTenant-originalarrivaltime: 10 Jul 2018 13:40:41.9698 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: cf813fa1-bde5-4e75-9479-f6aaa8b1f284
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR14MB1218
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/FtdR0j6jaywkzXrhRUP1zJajOHg>
Subject: Re: [Acme] Handling non-conformant CAA property names in ACME-CAA
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Jul 2018 13:40:52 -0000

I prefer the RFC 6844-bis interpretation, but I note that this is not 
compliant
with the Baseline Requirements, which mandate RFC 6844.  It's not clear
what that means though since as you correctly note, RFC 6844 contradicts
itself on this point.

I would support fixing the baseline requirements along the lines of what we
did for errata 5065.

-Tim

> -----Original Message-----
> From: Acme [mailto:acme-bounces@ietf.org] On Behalf Of Jacob Hoffman-
> Andrews
> Sent: Monday, July 9, 2018 8:57 PM
> To: Roland Shoemaker <roland@letsencrypt.org>; acme@ietf.org
> Cc: Hugo Landau <hlandau@devever.net>
> Subject: Re: [Acme] Handling non-conformant CAA property names in ACME-
> CAA
>
> There's a similar issue for parameters: RFC 6844 section 3 says each name-
> value pair is separated by a semicolon:
>
> https://tools.ietf.org/html/rfc6844#section-3
>  >    issue <Issuer Domain Name> [; <name>=<value> ]* :  The issue property
>
> RFC 6844 section 5.2 says each name-value pair is separated by a space:
>
> https://tools.ietf.org/html/rfc6844#section-5.2
>  >    issuevalue  = space [domain] space [";" *(space parameter) space]
>
>
> For 6844-bis, in the LAMPS WG, we concluded that the latter was most likely 
> an
> error in the ABNF, and that semicolons were preferable:
>
> https://tools.ietf.org/html/draft-ietf-lamps-rfc6844bis-00#section-5.2
>  >    parameters = (parameter *WSP ";" *WSP parameters) / parameter
>
>
> ACME-CAA's examples use semicolons:
>
> https://tools.ietf.org/html/draft-ietf-acme-caa-03#appendix-A
>  > example.com. IN CAA 0 issue "example.net; \  >     account-
> uri=https://example.net/account/1234; \  >     validation-methods=dns-01"
>
>
> We resolved the hyphen question on the basis of interoperability: Some DNS
> UIs rejected setting CAA records with hyphens in property names, so we did
> the simple thing and removed them.
>
> The semicolon question is not so easily solved. There is no unambiguous
> reading of RFC 6844, no reason to consider section 3 more normative than
> section 5.2 or vice versa.
>
> I have one piece of interop data: While Route53 rejected hyphens in property
> names, it accepts semicolons separating name-value pairs.
>
> My preference is for ACME-CAA to continue follow the RFC 6844bis
> interpretation. What are others' thoughts?
>
> _______________________________________________
> Acme mailing list
> Acme@ietf.org
> https://www.ietf.org/mailman/listinfo/acme

v2.23.0 | Report a Bug | By Email