Re: [Acme] Benjamin Kaduk's Discuss on draft-ietf-acme-caa-07: (with DISCUSS and COMMENT)
Hugo Landau <hlandau@devever.net> Sat, 15 June 2019 14:56 UTC
Return-Path: <hlandau@devever.net>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E25A2120086; Sat, 15 Jun 2019 07:56:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=devever.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ezAoG24AZkCK; Sat, 15 Jun 2019 07:56:16 -0700 (PDT)
Received: from umbriel.devever.net (umbriel.devever.net [149.202.51.241]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C42FA120018; Sat, 15 Jun 2019 07:56:14 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by umbriel.devever.net (Postfix) with ESMTP id E37AD1C055; Sat, 15 Jun 2019 16:56:11 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=devever.net; h= user-agent:in-reply-to:content-transfer-encoding :content-disposition:content-type:content-type:mime-version :references:message-id:subject:subject:from:from:date:date :received:received; s=mimas; t=1560610571; x=1578799932; bh=ych/ YADtb8FNG5ppfyk7+rpiJHbW/EqJeY7ak98iWk0=; b=F9yTni4kEGf3wa0JhPuh 0rod0YoZM87j9kKI+h5Q+T1E09nwAEegr8u1Gsew/27D8BafIv3V8d57/0fbiTY4 +bfzdHrj0NUtReGS5DNL+IMyhQT8sF9NwZN6keFGO5RZMtWhHDVFFmEbk/OhYcBq CI5ajAqMt7NVg2rkx5VymA8CV6EQENZhN3kJlGMiYaeSyOQJXmdGlGe4vv0KhJTc an/K5lu3d5BtBhN+Jv2ZIVJwWRPpJmEKci1kGYpvh29yRiyTp5rX7OLuAM2SoHaN Wj4Sk/zSWI+XQITVoEIyFhcdlxMcxRrBRGcMAXrwPjPje6akVzKU9jvhw0ReOiSo YA==
Received: from umbriel.devever.net ([127.0.0.1]) by localhost (umbriel.devever.net [127.0.0.1]) (amavisd-new, port 10026) with LMTP id qGjosaiHWWlh; Sat, 15 Jun 2019 16:56:11 +0200 (CEST)
Received: from axminster (localhost [127.0.0.1]) by umbriel.devever.net (Postfix) with ESMTP id 8CB3C1C032; Sat, 15 Jun 2019 16:56:11 +0200 (CEST)
Date: Sat, 15 Jun 2019 15:56:11 +0100
From: Hugo Landau <hlandau@devever.net>
To: Benjamin Kaduk <kaduk@mit.edu>
Cc: The IESG <iesg@ietf.org>, draft-ietf-acme-caa@ietf.org, Daniel McCarney <cpu@letsencrypt.org>, acme-chairs@ietf.org, acme@ietf.org
Message-ID: <20190615145611.GA14683@axminster>
References: <155899962263.692.16282630101807703064.idtracker@ietfa.amsl.com> <20190606065232.GA14091@axminster> <20190614001105.GN52381@kduck.mit.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <20190614001105.GN52381@kduck.mit.edu>
User-Agent: Mutt/1.11.3 (2019-02-01)
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/SfJq8aKnPkrIdgT7Yps59Jky2lo>
Subject: Re: [Acme] Benjamin Kaduk's Discuss on draft-ietf-acme-caa-07: (with DISCUSS and COMMENT)
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 15 Jun 2019 14:56:19 -0000
> > CAs MUST select and process account URIs under the assumption that
> > untrusted third parties may learn of them.
>
> As Tim notes, this isn't really an actionable MUST, so we probably should
> just go with "are encouraged to".
Done.
> >
> > The value of the "validationmethods" parameter MUST comply with the
> > following ABNF {{RFC5234}}:
> >
> > value = [*(label ",") label]
> > label = 1*(ALPHA / DIGIT / "-")
>
> That looks okay to my eye, but let's see if we can get an ART AD to look at
> it, as well -- I'm only an amateur at ABNF.
Sounds good, putting this in for now.
> > > Section 5.2
> > >
> > > I think this section may be predicated on an understanding of CAA
> > > "issue"/"issuewild" parameters that does not match my own. (Note that
> > > this includes the possibility that my understanding is incorrect.)
> > > Specifically, my reading of draft-ietf-lamps-rfc6844bis-06 Section 4.2
> > > indicates that a given paramter is only defined for usage in a CAA
> > > "issue" record at the explicit specification of the Issuer, and that the
> > > Issuer alone determines their semantics. So when this text says that
> > > parameters are not an effective control absent out-of-band establishment
> > > of support, that's either a non sequitur or a tautology -- nobody has
> > > any business adding parameters to an Issuer's CAA entry unless that
> > > Issuer has told them to do so, full stop.
> > > Granted, we are complicating things by providing a preestablished
> > > specification for a set of parameters that an Issuer may choose to
> > > incorporate by reference, but I don't see that as changing the fact that
> > > the parameters are still specific to the given Issuer (and their CAA
> > > entry).
> > > Similarly, "MUST NOT assume" and "SHOULD also document" are repeating
> > > requirements from rfc6844bis, when starting from my frame of reference
> > > (and thus would not need to use the normative capitalization).
> > I agree with your interpretation, and this interpretation is in fact
> > explicitly stated in the IANA considerations section — but I don't think
> > how this is worded currently is a problem.
>
> This is a non-blocking comment, so it's entirely your call. If you wanted
> a concrete suggestion from me, I'd probably consider a minimal change like
> adding a new sentence at the start and tweaking the transition:
> "CAA
> records are inherently an indicator of an agreement between a domain owner
> and one or more CAs, so inserting CAA records into the DNS without
> cooperation from a CA is not expected to have any effect. Accordingly, the
> CAA parameters specified in this section rely on [...]". But I just wrote
> that on the fly and will not be surpirsed if it is unsatisfactory :)
I don't want the document to assume some sort of legal/contractual
relationship, so I decided to go with this:
Because the parameters of "issue" or "issuewild" CAA properties
constitute a CA-specific namespace, the CA identified by an "issue" or
"issuewild" property decides what parameters to recognise and their
semantics. Accordingly, the CAA parameters defined in this
specification rely on their being recognised by the CA named by an
"issue" or "issuewild" CAA property, and are not an effective means of
control over issuance unless a CA's support for the parameters is
established beforehand.
- [Acme] Benjamin Kaduk's Discuss on draft-ietf-acm… Benjamin Kaduk via Datatracker
- Re: [Acme] Benjamin Kaduk's Discuss on draft-ietf… Hugo Landau
- Re: [Acme] Benjamin Kaduk's Discuss on draft-ietf… Tim Hollebeek
- Re: [Acme] Benjamin Kaduk's Discuss on draft-ietf… Benjamin Kaduk
- Re: [Acme] Benjamin Kaduk's Discuss on draft-ietf… Hugo Landau