[Acme] Warren Kumari's Discuss on draft-ietf-acme-caa-07: (with DISCUSS and COMMENT)
Warren Kumari via Datatracker <noreply@ietf.org> Wed, 29 May 2019 19:40 UTC
Return-Path: <noreply@ietf.org>
X-Original-To: acme@ietf.org
Delivered-To: acme@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id B59D412016A; Wed, 29 May 2019 12:40:42 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Warren Kumari via Datatracker <noreply@ietf.org>
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-acme-caa@ietf.org, Daniel McCarney <cpu@letsencrypt.org>, acme-chairs@ietf.org, cpu@letsencrypt.org, acme@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 6.97.0
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: Warren Kumari <warren@kumari.net>
Message-ID: <155915884273.5515.12483785841415224773.idtracker@ietfa.amsl.com>
Date: Wed, 29 May 2019 12:40:42 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/bdWwlz8xpT8dM1RAXwekY4oovSU>
Subject: [Acme] Warren Kumari's Discuss on draft-ietf-acme-caa-07: (with DISCUSS and COMMENT)
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 May 2019 19:40:43 -0000
Warren Kumari has entered the following ballot position for draft-ietf-acme-caa-07: Discuss When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-acme-caa/ ---------------------------------------------------------------------- DISCUSS: ---------------------------------------------------------------------- Firstly, thank you for writing this -- I do however have some concerns around Section "5.6. Use with and without DNSSEC" 1: "Where a domain chooses to secure its nameservers using DNSSEC, the authenticity of its DNS data can be assured, providing that a given CA makes all DNS resolutions via an appropriate, trusted DNSSEC-validating resolver." A: DNSSEC does *not* secure nameservers, it secures the DNS data itself (think object security vs channel security) -- I'd suggest "When a domain is signed using DNSSEC, the authenticity..." B: I'm confused what"appropriate" means in "appropriate, trusted DNSSEC validating resolver" -- if it is trusted I'd assume it is appropriate? Please explain. C: The way that a resolver signals to a client that it has performed validation (and that the answer validated) is to set a single bit (AD) in the response - this is obviously something which should not be relied upon for security sensitive stuff - I'd strongly suggest that i) there be some text around getting the responses from the resolver to the CA machine securely (e.g over DNS-over-TLS), or better yet ii) that the CA machine itself do the DNSSEC validation - there are many libraries / systems to make this easy, e.g Stubby, libunbound, etc. 2: "A domain can use this property to protect itself from the threat posed by a global adversary capable of performing man-in-the-middle attacks, ..." A: What is the purpose of "global" in "global adversary" -- I'm assuming it is trying to communicate something important here, but how is this different to a "local" adversary capable of performing man-in-the-middle attacks? 3: " Use of the "accounturi" or "validationmethods" parameters does not confer additional security against an attacker capable of performing a man-in-the-middle attack against all validation attempts made by a given CA which is authorized by CAA where: 1. A domain does not secure its nameservers using DNSSEC, or 2. That CA does not perform CAA validation using a trusted DNSSEC-validating resolver. Moreover, use of the "accounturi" or "validationmethods" parameters does not mitigate against man-in-the-middle attacks against CAs which do not validate CAA records, or which do not do so using a trusted DNSSEC-validating resolver, ..." Can this document simply say: "When using this method, CA's MUST use a DNSSEC-validating resolver"? -- it will a: make the protocol more secure and b: simplify a bunch of the document and c: isn't a large burden. During the so-called "DNSpionage" incident, it seems that a specific CA was chosen because it didn't do DNSSEC validation (or, perhaps would try validate, but would still issue if DNSSEC validation failed) -- see: https://mailman.nanog.org/pipermail/nanog/2019-March/099852.html ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- Thank you again for writing this, and apologies for not balloting earlier - I've got a cold and am behind on my IETF work.
- [Acme] Warren Kumari's Discuss on draft-ietf-acme… Warren Kumari via Datatracker
- Re: [Acme] Warren Kumari's Discuss on draft-ietf-… Hugo Landau
- Re: [Acme] Warren Kumari's Discuss on draft-ietf-… Warren Kumari