IETF Logo Mail Archive

Re: [Acme] Handling non-conformant CAA property names in ACME-CAA

"Salz, Rich" <rsalz@akamai.com> Fri, 22 June 2018 18:00 UTC

Return-Path: <rsalz@akamai.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A75CA130EBA for <acme@ietfa.amsl.com>; Fri, 22 Jun 2018 11:00:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.71
X-Spam-Level:
X-Spam-Status: No, score=-2.71 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 595LZHRGu-ww for <acme@ietfa.amsl.com>; Fri, 22 Jun 2018 11:00:32 -0700 (PDT)
Received: from mx0b-00190b01.pphosted.com (mx0b-00190b01.pphosted.com [IPv6:2620:100:9005:57f::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 43CD6130E10 for <acme@ietf.org>; Fri, 22 Jun 2018 11:00:32 -0700 (PDT)
Received: from pps.filterd (m0050096.ppops.net [127.0.0.1]) by m0050096.ppops.net-00190b01. (8.16.0.22/8.16.0.22) with SMTP id w5MHvWMv031031; Fri, 22 Jun 2018 19:00:24 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=jan2016.eng; bh=ExihYaVDSaNS8el7+D9T/5py6adsuczbL7hL6Z/q4mc=; b=ZyfR6CHbLNrbWLS4pff3BeaDsILCsfztYg3d9FoIWGAqCFR2WdMZkAKxDeO0MxG+gkn4 z2xbsowACmKpZEW8tAsOviI7I6t4s5Ta7wWQn8d4T5PMaOfV23Sn/U0Lfi2mgSPurMNS Kvwa5rRfWjN0svBkuqDWMcU/InblGY/kynagotftZ0xhfnV4SUUVN2IRmlpyn9Qpx4AD e1wRGzOstaLWmYyYxRC5FZkaOwC5E6krGNuFdUXu+tuleUL9dxiURd2fbjVV+NxhApDc sZgIVD8IbEDniY50aEy+D9N8x2ZhnaSIN6pofYgyTkCksbiXXfnkiBHteK9Iuxe+r5q/ 8Q==
Received: from prod-mail-ppoint2 (prod-mail-ppoint2.akamai.com [184.51.33.19]) by m0050096.ppops.net-00190b01. with ESMTP id 2jrp7p294f-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 22 Jun 2018 19:00:23 +0100
Received: from pps.filterd (prod-mail-ppoint2.akamai.com [127.0.0.1]) by prod-mail-ppoint2.akamai.com (8.16.0.21/8.16.0.21) with SMTP id w5MHtsG8007152; Fri, 22 Jun 2018 14:00:22 -0400
Received: from email.msg.corp.akamai.com ([172.27.25.32]) by prod-mail-ppoint2.akamai.com with ESMTP id 2jrp6ym4kg-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Fri, 22 Jun 2018 14:00:22 -0400
Received: from USTX2EX-DAG1MB1.msg.corp.akamai.com (172.27.27.101) by ustx2ex-dag1mb1.msg.corp.akamai.com (172.27.27.101) with Microsoft SMTP Server (TLS) id 15.0.1365.1; Fri, 22 Jun 2018 12:59:21 -0500
Received: from USTX2EX-DAG1MB1.msg.corp.akamai.com ([172.27.6.131]) by ustx2ex-dag1mb1.msg.corp.akamai.com ([172.27.6.131]) with mapi id 15.00.1365.000; Fri, 22 Jun 2018 12:59:21 -0500
From: "Salz, Rich" <rsalz@akamai.com>
To: Tim Hollebeek <tim.hollebeek@digicert.com>, Ivan Ristic <ivan.ristic@gmail.com>, Ryan Sleevi <ryan-ietf@sleevi.com>
CC: IETF ACME <acme@ietf.org>, Hugo Landau <hlandau@devever.net>, Roland Shoemaker <roland@letsencrypt.org>
Thread-Topic: [Acme] Handling non-conformant CAA property names in ACME-CAA
Thread-Index: AQHUCNfq8vNmrCO/pUO2TFUDsUbHWKRp/IEAgACr+ACAAFDWAP//6KwAgABukoCAAVQDAA==
Date: Fri, 22 Jun 2018 17:59:20 +0000
Message-ID: <312E783B-2847-4FE5-A674-65F0123A7D70@akamai.com>
References: <DC2B6BEA-713F-468E-A374-97C3A01CFEAF@letsencrypt.org> <CAErg=HEHGhADKr460195-M5L8VeKBT0Hj1LiwmoZbhTNqjpYvw@mail.gmail.com> <CANHgQ8Fb7GqSBt+ptTTPOLoGe1jph_8kFm2CqT=6NgcdVFsViw@mail.gmail.com> <BN6PR14MB11064F83C5CD3F2DCC1EC76483760@BN6PR14MB1106.namprd14.prod.outlook.com> <F9B138A3-906B-42B5-AE18-C305D51EAE4A@akamai.com> <BN6PR14MB1106E3FF5E13EA5E376C8FAD83760@BN6PR14MB1106.namprd14.prod.outlook.com>
In-Reply-To: <BN6PR14MB1106E3FF5E13EA5E376C8FAD83760@BN6PR14MB1106.namprd14.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.e.1.180613
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [172.19.46.133]
Content-Type: multipart/alternative; boundary="_000_312E783B28474FE5A67465F0123A7D70akamaicom_"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2018-06-22_03:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1806210000 definitions=main-1806220199
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2018-06-22_03:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1806210000 definitions=main-1806220199
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/OkNkxnfX7bnOLRK5Ja_vinR8iRE>
Subject: Re: [Acme] Handling non-conformant CAA property names in ACME-CAA
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Jun 2018 18:00:36 -0000

Hugo just submitted a draft (Thanks!) that does this.

I don’t think we need to reset the clock, and will continue with advancing this.

From: Tim Hollebeek <tim.hollebeek@digicert.com>
Date: Thursday, June 21, 2018 at 1:42 PM
To: Rich Salz <rsalz@akamai.com>, "ivan.ristic@gmail.com" <ivan.ristic@gmail.com>, Ryan Sleevi <ryan-ietf@sleevi.com>
Cc: "acme@ietf.org" <acme@ietf.org>, Hugo Landau <hlandau@devever.net>, Roland Shoemaker <roland@letsencrypt.org>
Subject: RE: [Acme] Handling non-conformant CAA property names in ACME-CAA

I agree with Ryan that that’s probably the best way forward, if changing the names to remove the hyphens doesn’t cause undue hardship.

-Tim

From: Salz, Rich [mailto:rsalz@akamai.com]
Sent: Thursday, June 21, 2018 9:07 AM
To: Tim Hollebeek <tim.hollebeek@digicert.com>; Ivan Ristic <ivan.ristic@gmail.com>; Ryan Sleevi <ryan-ietf@sleevi.com>
Cc: IETF ACME <acme@ietf.org>; Hugo Landau <hlandau@devever.net>; Roland Shoemaker <roland@letsencrypt.org>
Subject: Re: [Acme] Handling non-conformant CAA property names in ACME-CAA

It seems the quickest way to address this is to remove the hyphens from the labels and continue progressing the doc.

Hugo, can you do this in the next few days, or should we (chairs) find someone else?

From: Tim Hollebeek <tim.hollebeek@digicert.com<mailto:tim.hollebeek@digicert.com>>
Date: Thursday, June 21, 2018 at 8:30 AM
To: "ivan.ristic@gmail.com<mailto:ivan.ristic@gmail.com>" <ivan.ristic@gmail.com<mailto:ivan.ristic@gmail.com>>, Ryan Sleevi <ryan-ietf@sleevi.com<mailto:ryan-ietf@sleevi.com>>
Cc: "acme@ietf.org<mailto:acme@ietf.org>" <acme@ietf.org<mailto:acme@ietf.org>>, Hugo Landau <hlandau@devever.net<mailto:hlandau@devever.net>>, Roland Shoemaker <roland@letsencrypt.org<mailto:roland@letsencrypt.org>>
Subject: Re: [Acme] Handling non-conformant CAA property names in ACME-CAA

The current ABNF in 6844 is basically broken, and doesn’t express what it was intended to express.  I remember staring at it with Corey and wondering how it got approved …

So while I’m not particularly picky on the exact bureaucratic details of how a fix gets made, it would be nice to get this resolved quickly via an errata or whatever.  There are a bunch of reasonable extensions to CAA that could be made in the future, and a solid and agreed-upon grammar is a necessary prerequisite.

Another option (at least for uses on the Web PKI) is clarification by CABF ballot.  Despite all the downsides of CABF, it does have the ability to move pretty quickly when it needs to.

-Tim

From: Acme [mailto:acme-bounces@ietf.org] On Behalf Of Ivan Ristic
Sent: Thursday, June 21, 2018 3:41 AM
To: Ryan Sleevi <ryan-ietf@sleevi.com<mailto:ryan-ietf@sleevi.com>>
Cc: IETF ACME <acme@ietf.org<mailto:acme@ietf.org>>; Hugo Landau <hlandau@devever.net<mailto:hlandau@devever.net>>; Roland Shoemaker <roland@letsencrypt.org<mailto:roland@letsencrypt.org>>
Subject: Re: [Acme] Handling non-conformant CAA property names in ACME-CAA

Just to add to this, those CAs whose CAA processing follows the current spec will likely see all CAA policies with ACME-CAA extensions as invalid, potentially leading to operational issues. It's going to be the same with tools that inspect and validate CAA (e.g., our tool, Hardenize).

On Wed, Jun 20, 2018 at 10:25 PM, Ryan Sleevi <ryan-ietf@sleevi.com<mailto:ryan-ietf@sleevi.com>> wrote:
On Wed, Jun 20, 2018 at 4:47 PM, Roland Shoemaker <roland@letsencrypt.org<mailto:roland@letsencrypt.org>> wrote:
As previously discussed on the list the two property names defined in draft-ietf-acme-caa, "validation-methods” and "account-uri”, do not conform to the ABNF syntax in RFC 6844 as they contain hyphens. 6844-bis fixes this by expanding the ABNF to be less restrictive but for now this doesn’t really address the problem at hand.

Given it is probably unlikely that 6844-bis will be standardized any time soon is there any plan to make changes to draft-ietf-acme-caa to address this in the short term? Given we are not yet at the point where there is wide deployment/adoption of this feature can we take the easy route and simply remove the hyphens so that the document at least complies with the existing CAA document?

It is not just that -bis would need to be finalized and standardized, but that CAs would also have to adopt and recognize the syntax in -bis, updating their 6844 implementations. Even if -bis were final tomorrow, that would still take considerable time, given the normative differences, and so I think aligning on an inter-operable expression is certainly preferable, allowing it to work with both 6844 and -bis.

_______________________________________________
Acme mailing list
Acme@ietf.org<mailto:Acme@ietf.org>
https://www.ietf.org/mailman/listinfo/acme



--
Ivan

v2.23.0 | Report a Bug | By Email