IETF Logo Mail Archive

Re: [Acme] Handling non-conformant CAA property names in ACME-CAA

Hugo Landau <hlandau@devever.net> Tue, 10 July 2018 16:47 UTC

Return-Path: <hlandau@devever.net>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AD099131066 for <acme@ietfa.amsl.com>; Tue, 10 Jul 2018 09:47:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=devever.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EBwt0Vk83OPv for <acme@ietfa.amsl.com>; Tue, 10 Jul 2018 09:47:45 -0700 (PDT)
Received: from umbriel.devever.net (umbriel.devever.net [149.202.51.241]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6F77013113E for <acme@ietf.org>; Tue, 10 Jul 2018 09:47:44 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by umbriel.devever.net (Postfix) with ESMTP id 089521C585; Tue, 10 Jul 2018 18:47:41 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=devever.net; h= user-agent:in-reply-to:content-disposition:content-type :content-type:mime-version:references:message-id:subject:subject :from:from:date:date:received:received; s=mimas; t=1531241260; x=1549430621; bh=ioxP32UVuShrr2aVXW53aU7K2/F+1rXed96von8sFTo=; b= LjsKbbjiBeCY7+XdOHsiq36LdcKw/I0rjNJksor7DKiqdEOBka8Qvv9H0MBphLiZ me8RFakqjZHqArFlLLKoSs9g6c9xCJ6hQCTKZiPdaDMFBJVuvuQJ73y/54J2HDEh 7bm/j8zufCFXsQRVFxv87v1L5Wwib7BlaAZjHS0ECCj2fyNljL22sqUCfv42PBx8 Feywt7RKgPbIQNx4kmQlpKZ1Q+U8VxNneUygVUAxXlxuozPbJrgUyZ0Hyk9n9Li9 4WIcWHjizUiwXiOjnOdCJUVL+cRHsydx1gtNVI2bkuBaMhEIH588eifpzXgcCSlk vzqbbhekX5g3+BjOre4sdw==
Received: from umbriel.devever.net ([127.0.0.1]) by localhost (umbriel.devever.net [127.0.0.1]) (amavisd-new, port 10026) with LMTP id P_Ir8i-_q58n; Tue, 10 Jul 2018 18:47:40 +0200 (CEST)
Received: from axminster (localhost [127.0.0.1]) by umbriel.devever.net (Postfix) with SMTP id C35771C389; Tue, 10 Jul 2018 18:47:40 +0200 (CEST)
Date: Tue, 10 Jul 2018 17:47:40 +0100
From: Hugo Landau <hlandau@devever.net>
To: Corey Bonnell <CBonnell@trustwave.com>
Cc: acme@ietf.org
Message-ID: <20180710164740.GA24414@axminster>
References: <DC2B6BEA-713F-468E-A374-97C3A01CFEAF@letsencrypt.org> <63753ab2-2b4b-ec15-f357-373b7e681aab@eff.org> <AD5192BA-2792-4C4F-98DF-C2789C423A9C@trustwave.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <AD5192BA-2792-4C4F-98DF-C2789C423A9C@trustwave.com>
User-Agent: Mutt/1.9.4 (2018-02-28)
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/Mi8MuxgJbUkDHkRf0g79XgJ7cno>
Subject: Re: [Acme] Handling non-conformant CAA property names in ACME-CAA
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Jul 2018 16:48:00 -0000

> Hi Jacob,
> Perhaps not as elegant and concise, but a workaround would be to temporarily (until 6844-bis gets incorporated into the Baseline Requirements) prohibit multiple parameters in the same CAA record and instead require that multiple parameters span multiple issue/issuewild records with the same Issuer Domain Name.
> 
> For example, the following CAA issue record:
> CAA 0 issue "acmeca.com; validationmethods=http-01; accounturi=https://api.acmeca.com/acct/1"
> 
> could be expressed with two records:
> CAA 0 issue "acmeca.com; validationmethods=http-01"
> CAA 0 issue "acmeca.com; accounturi=https://api.acmeca.com/acct/1"
> 
> This isn't very DRY, but this would avoid interoperability conflicts with tooling and other CAs that refuse to issue certificates when encountering CAA records with invalid syntax.
This doesn't work; it changes logical-AND to logical-OR.

For
> CAA 0 issue "acmeca.com; validationmethods=http-01; accounturi=https://api.acmeca.com/acct/1"
the account URI AND validation method must match.

For
> CAA 0 issue "acmeca.com; validationmethods=http-01"
> CAA 0 issue "acmeca.com; accounturi=https://api.acmeca.com/acct/1"
at least one of the account URI OR validation method must match.

I support sticking with the current draft using semicolons.

v2.23.0 | Report a Bug | By Email