IETF Logo Mail Archive

Re: [Acme] ACME draft is now in WGLC.

Richard Barnes <rlb@ipv.sx> Mon, 20 March 2017 16:10 UTC

Return-Path: <rlb@ipv.sx>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1B24F1294D0 for <acme@ietfa.amsl.com>; Mon, 20 Mar 2017 09:10:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RMxrVbpdtmF2 for <acme@ietfa.amsl.com>; Mon, 20 Mar 2017 09:10:23 -0700 (PDT)
Received: from mail-wm0-x232.google.com (mail-wm0-x232.google.com [IPv6:2a00:1450:400c:c09::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 09C41127076 for <acme@ietf.org>; Mon, 20 Mar 2017 09:10:23 -0700 (PDT)
Received: by mail-wm0-x232.google.com with SMTP id v203so19526693wmg.0 for <acme@ietf.org>; Mon, 20 Mar 2017 09:10:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=uoQx9Ln83blVRSuIN7tJrdBZtPhTfPouar/9bByB6w8=; b=VDXLBy34KXV83V3zru5Ra2qh1oWbnYPk6c7AhsywqfZTeDyjgYIeOyEknmOsf8TGhe R/+q6xVtuGLLccNtaXyVZe/hoKe2RXgVoHVS2nEAMjKHHZekRKdWCbxO4Qd/Exy9Y/4Y aNLhxHy5Dqd2tLjgAeP3p1W9YIg+uIZ8TMDrA/4iM7ducLIXnL5nICwbSxO8Tsmb7qDx UGTY0sOTk2IdKkAFh02+scJrONzFcBvoYb8G9iyVqCBSwJAmADqSeey035kOOvNDv9ib opeMlTJDzdzlk+Lj3K55zc4WNl3HSxeUcBpsVvAgqPhYpdeRsPWQL0IgiHCi7lvYfSPa Gezg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=uoQx9Ln83blVRSuIN7tJrdBZtPhTfPouar/9bByB6w8=; b=VRAlZa/ZVZ0YzEOF2F4dz7f0ABA37DqmJTOw6eS4fclGFdqXdVY+rHcOMKLSNlVj/k nSivGfP1ZL3h4CIYSmVoEEqHfrbp9L3z1ptupfpY5YU2cPnhH8bIok0C4dX0+lQYXNNQ Bk+b+V3QN6CcBFoDlYaHtq8ipZEU4wqGB0r3GsMWicxVQBBu562BSQ+ZsIt3MoIEG8Ka 1fgRgLuXzHaTlObIKGdPSvv6K330hyHmNFtr6fZsmSKM/wMKWyo6j4yMG1OOjAEgKnPN u4xaVAj9TTddCLQreUwQ0O2pfAL/pUHdkdh5c+3R8DnAOuZrZJNmDGbvaNstmP24hrSc E8Tw==
X-Gm-Message-State: AFeK/H1z8Wy9dumFZQtw2jP5Kb3btKzVmcBnm1Lj3/7zwLbWC9MrvmuU3UYaeMDF33eGImJBaSVEId4k4WEmew==
X-Received: by 10.28.156.69 with SMTP id f66mr10456913wme.56.1490026221360; Mon, 20 Mar 2017 09:10:21 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.28.31.2 with HTTP; Mon, 20 Mar 2017 09:10:20 -0700 (PDT)
In-Reply-To: <CAMm+LwhOwo-fMh9hhAKzL6gVetEm1mVHxvih4q3WpVDM6D9TkQ@mail.gmail.com>
References: <8473d9ba84894d49b2f2232370d66b46@usma1ex-dag1mb3.msg.corp.akamai.com> <20170307031510.GN7733@mournblade.imrryr.org> <20170307032023.GO7733@mournblade.imrryr.org> <9471a5323a98405eaf0ee111fb0350b0@usma1ex-dag1mb3.msg.corp.akamai.com> <20170313201410.GG4095@mournblade.imrryr.org> <12461433fb264865972e9ddafab1c511@usma1ex-dag1mb1.msg.corp.akamai.com> <20170314162425.GA13868@andover.lhh.devever.net> <CAL02cgQW5434JjEvZzBp_X1+ViuiK5A2gd_Az7rw6H4DifyjZA@mail.gmail.com> <CAMm+LwhOwo-fMh9hhAKzL6gVetEm1mVHxvih4q3WpVDM6D9TkQ@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
Date: Mon, 20 Mar 2017 12:10:20 -0400
Message-ID: <CAL02cgRA+hvH0xgrePZNS9+4nqu0zYED=BEOvmoz0cUWi2wMbQ@mail.gmail.com>
To: Phillip Hallam-Baker <phill@hallambaker.com>
Cc: Hugo Landau <hlandau@devever.net>, "Salz, Rich" <rsalz@akamai.com>, "acme@ietf.org" <acme@ietf.org>
Content-Type: multipart/alternative; boundary="001a114b7e2aa174fe054b2bc390"
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/bvj9kVQs3YdBDCojATLWJyV2nu0>
Subject: Re: [Acme] ACME draft is now in WGLC.
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Mar 2017 16:10:26 -0000

On Sat, Mar 18, 2017 at 1:08 PM, Phillip Hallam-Baker <phill@hallambaker.com
> wrote:

>
>
> On Tue, Mar 14, 2017 at 2:24 PM, Richard Barnes <rlb@ipv.sx> wrote:
>
>>
>>
>> On Tue, Mar 14, 2017 at 12:24 PM, Hugo Landau <hlandau@devever.net>
>> wrote:
>>
>>> > > The CAA check is/was easy to make and crippling it
>>> > > by not making it a requirement was IMNSHO a mistake.
>>> > ...
>>> > > I urge the WG to reconsider.
>>> >
>>> > Does anyone else agree with Viktor?  Please speak up on the list this
>>> week if so.
>>>
>>> I'd agree that the CAA check should be made mandatory. At least, I can't
>>> think of any good reason why it shouldn't be.
>>>
>>
>> I very strongly disagree.  What checks the CA does before issuing is up
>> to the CA's policy.  This document provides tools for CAs to do those
>> checks; it does not constrain what CAs do.
>>
>>
>>
>>> I'd also agree that the use of a DNSSEC-validating resolver accessed via
>>> a trusted network (preferably localhost) should be mandatory.
>>>
>>
>> Likewise.
>>
>> ​​
>> --Richard
>>
>
> ​If that were so, why does ACME have any support for DNS validat​ion? It
> is merely CA policy after all.
>
> The point of CAA is that it is the one mechanism that is provided to allow
> domain owners to signal to third parties what parties they authorize to
> issue certs.
>
> In my view CAA should be mandatory for the reasons above.
>
> The other reason for making CAA mandatory is that if we are going to fully
> automate the issue process, we might well want to use information in the
> CAA records to facilitate that. That was the reason I thought Paul
> Hoffman's idea of using the DNS name rather than a policy oid or some PKIX
> identifier was the right approach.
>

This specification has always been focused on providing tools for CAs,
*not* on constraining what CAs must do.  What MUSTs there are in the
specification are to make clear the mechanisms that the specifications
define, not to specify CA policy.

CAA is clearly on the other side of that line -- it's not a part of the
mechanisms we define in this specification, but a totally separate
mechanism that CAs apply to vet requests.  It's much more like high-value
name checking than DNS validation.

I would be fine adding a line to the "CA Policy Considerations" section
[1], which is where other similar things have gone.

To be clear: I think CAA checking is a good idea, and I'm delighted that
CABF recently decided to require it [2].  I just don't think it's
appropriate for ACME to require it.

--Richard


[1] https://ietf-wg-acme.github.io/acme/#rfc.section.10.5
[2] https://cabforum.org/pipermail/public/2017-March/009988.html

v2.23.0 | Report a Bug | By Email