Re: [Acme] Barry Leiba's Discuss on draft-ietf-acme-caa-07: (with DISCUSS and COMMENT)
Hugo Landau <hlandau@devever.net> Thu, 30 May 2019 20:51 UTC
Return-Path: <hlandau@devever.net>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 768CA12014B; Thu, 30 May 2019 13:51:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=devever.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4VWjmi52f9Hf; Thu, 30 May 2019 13:51:54 -0700 (PDT)
Received: from umbriel.devever.net (umbriel.devever.net [149.202.51.241]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 336661200E3; Thu, 30 May 2019 13:51:54 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by umbriel.devever.net (Postfix) with ESMTP id 4DEFB1C055; Thu, 30 May 2019 22:51:51 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=devever.net; h= user-agent:in-reply-to:content-transfer-encoding :content-disposition:content-type:content-type:mime-version :references:message-id:subject:subject:from:from:date:date :received:received; s=mimas; t=1559249511; x=1577438872; bh=3y70 xigskb4D6SHecKi2Oa5wUcRFEbaqw1P4l/ZEGwM=; b=d2uchPnnJagjPzGby51l QNfiDOOj0LzW+moPOT1qfyWR76BIfXxM4x3mMvcqGm5ka4q7qoyWaj6lCC1gpzJX p3iG9PRx0X8MNYZbhIyp/3HBJFPRHieuufNahEwEijgvgVpExCASQz74r2jd5E2t 83XBAy2ggPRY+tYzW7pEtIWyDJMmVhhVMfrlO7cJVEldLojiUb/GrTOkHi+pfqAm khkbekx3DV8iTQvL2ANGGLJbJGujE+lthgk2rILdDkp89/KM+2kOloCowYb1ar5j eWHm5dkj2Snj+FcSnz+JetdK09EYSn8zL48NNuNKYcj0GA+UGgm1NBiqevZ1Eabo Cw==
Received: from umbriel.devever.net ([127.0.0.1]) by localhost (umbriel.devever.net [127.0.0.1]) (amavisd-new, port 10026) with LMTP id 83JH1G8hguO2; Thu, 30 May 2019 22:51:51 +0200 (CEST)
Received: from axminster (localhost [127.0.0.1]) by umbriel.devever.net (Postfix) with ESMTP id EBAD81C032; Thu, 30 May 2019 22:51:50 +0200 (CEST)
Date: Thu, 30 May 2019 21:51:50 +0100
From: Hugo Landau <hlandau@devever.net>
To: Barry Leiba <barryleiba@computer.org>
Cc: The IESG <iesg@ietf.org>, draft-ietf-acme-caa@ietf.org, Daniel McCarney <cpu@letsencrypt.org>, acme-chairs@ietf.org, acme@ietf.org
Message-ID: <20190530205150.GA21655@axminster>
References: <155888292737.18381.13153334659362661935.idtracker@ietfa.amsl.com> <20190530174230.GA12694@axminster> <CALaySJJ1M8Rnp4wRAn3xgfV3JM5vDDBU6MAhRpikHNSPgvZmSQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <CALaySJJ1M8Rnp4wRAn3xgfV3JM5vDDBU6MAhRpikHNSPgvZmSQ@mail.gmail.com>
User-Agent: Mutt/1.11.3 (2019-02-01)
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/Y4_XFlyHvJ1S7UW7d9X1BjDn55g>
Subject: Re: [Acme] Barry Leiba's Discuss on draft-ietf-acme-caa-07: (with DISCUSS and COMMENT)
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 May 2019 20:51:58 -0000
> This all makes sense. Would it be reasonable to recommend not just > "ca-", but "ca-<caidentifier>-"? Experience has shown that if "flarb" > is a common thing among CAs (or whatever) and Verisign implements a > "ca-flarb", that will tend to leak and become an unregistered > standard... but that's far less likely to happen if it's > "ca-verisign-flarb". I'm not suggesting any formalization nor > registry for the <caidentifier> part, but just the fact that it's > included tends to get us away from the problem that BCP 178 is > addressing. The important thing to consider is that these identifiers always occur in a context scoped to a specific CA: example.com. IN CAA 0 issue "example.net; validationmethods=ca-foo" where example.net is some CA. So if you like, you can think of the validation method expressed here as being the tuple ("example.net", "ca-foo"). It's pretty much isomorphic to if, for example, one chose URIs instead along the lines of validationmethod://example.net/foo. But since all parameters on a CAA property are implicitly qualified by the CA's domain, this seemed very overkill. It is possible that different CAs will allocate the same identifiers to mean approximately the same thing — for example, if 10 different CAs elected to use "ca-email" for generic non-ACME email-based domain validation. They might also allocate the same identifiers to mean very different things. The premise of the ca- prefix, however, is that an entity requesting certificates is willing to establish a relationship with a CA in a non-automated fashion. In this case, that means reading a CA's documentation on supported validationmethods identifiers and understanding their semantics. I think this is reasonable since people don't change CAs frequently or automatically, or at least in the non-ACME cases. With ACME things can be automated much more — and in that case, the validationmethods identifiers used are fully standardised. So "identifier cross-pollination" between CAs is I think a non-issue. What I think you're trying to express is the possibility that e.g. Verisign has some method "ca-foo" and Digicert has some very different method also called "ca-foo", and at some point Digicert wants to let people refer to Verisign's "ca-foo" method. But reusing the same identifier isn't useful for the reasons given above; switching CAs in the non-ACME case is necessarily a manual process and will necessitate having some understanding of a CA's published (natural language) policies. Moreover, enabling CAs to reference validation method identifiers used by other CAs would undermine the point of the prefix, which is to be explicitly local to the specific CA whose domain is given. Perhaps most seriously though, this would make the first CA vulnerable to the possibility that the second CA subseqently changes their policy for the given identifier. In practice, CAs are extremely unlikely to want to create policy dependencies on other legal entities like this. It would be tantamount to a CA's CPS section on validation saying "We do the same thing Verisign does." So, if anything I think a scheme such as "ca-verisign-foo" is riskier. > > The CAA specification allows parameters to be attached to CAA > > properties, but this is a CA-specific namespace. Per CAA, there is no > > IANA registry for CAA parameters, and a CA is not required to give the > > meaning given in this I-D to "accounturi" or "validationmethods" > > parameters, unless it chooses to implement this RFC. See "Restrictions > > Ineffective without CA Recognition". > > OK; no longer a DISCUSS, and no need for further response, but if you > can re-word that to explain the situation a bit better, that'd be > great. Tweaked it a little.
- [Acme] Barry Leiba's Discuss on draft-ietf-acme-c… Barry Leiba via Datatracker
- Re: [Acme] Barry Leiba's Discuss on draft-ietf-ac… Hugo Landau
- Re: [Acme] Barry Leiba's Discuss on draft-ietf-ac… Barry Leiba
- Re: [Acme] Barry Leiba's Discuss on draft-ietf-ac… Salz, Rich
- Re: [Acme] Barry Leiba's Discuss on draft-ietf-ac… Hugo Landau
- Re: [Acme] Barry Leiba's Discuss on draft-ietf-ac… Barry Leiba
- Re: [Acme] Barry Leiba's Discuss on draft-ietf-ac… Hugo Landau