Re: [Acme] Handling non-conformant CAA property names in ACME-CAA
Ivan Ristic <ivan.ristic@gmail.com> Thu, 21 June 2018 07:40 UTC
Return-Path: <ivan.ristic@gmail.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AB82E131054 for <acme@ietfa.amsl.com>; Thu, 21 Jun 2018 00:40:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8GHN0CdisWRR for <acme@ietfa.amsl.com>; Thu, 21 Jun 2018 00:40:49 -0700 (PDT)
Received: from mail-it0-x243.google.com (mail-it0-x243.google.com [IPv6:2607:f8b0:4001:c0b::243]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 54D8A124D68 for <acme@ietf.org>; Thu, 21 Jun 2018 00:40:49 -0700 (PDT)
Received: by mail-it0-x243.google.com with SMTP id n7-v6so3348644itn.1 for <acme@ietf.org>; Thu, 21 Jun 2018 00:40:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=qSnhVMjtNKzNnpQxcYOzjZNEi8N7r5mOo9Pki9NxOp0=; b=KBTTF+HZaqTUqrWnfq9/KBwBbcx/vNxHBgXxZlUMqQE5r7HYlcG45B0BySTXD7dFFH AKPwD018YNapITFlimRH+CBhJ08UZrZRFpXGtXXYebrb/xEbrlzP4wwlDpprIpDgEpDW VPiPQU0hHqiu5dAanCh49WKyCs9LVQnSZyWFkhr8uvadO5TBSeI7tydTfSdgf33jHYYE 8cypU2rkc8huaPig8KFejp5Sb4Ndug0mSGFFFzKrMmf6HW7irfJM5eHeCy2UozQLcBg1 X+KXXb7Psn5BoFUHwq+1utveOGC6g6O/c5yhJPC3jnRZ+SeyX+ygpahBydhfNF36g2Ad nhWw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=qSnhVMjtNKzNnpQxcYOzjZNEi8N7r5mOo9Pki9NxOp0=; b=JUjFyfYofXv+QTQ57hGmwNdgPdGnq2gf77osIdqRwzbW7cFcfTuHnRhNIwPEqhEswA 5I3nM6o1OtkLVPs08/oUTRro9zQfWoinaWTydXsSNW+WGwMJFi9B5vJQm7NmFPC0eSxW /FP+fNV0y3mFk+bXgxbTiWCK8zoVl7LTdezN3UmaIhO+2wFMFmhuMbYgmirLLoANUfz2 y1C53xwPJfiDj8ptnAJYw9aALDdA5uINT8Zxp/479ihqXcyyyTIY1d10L7AzMcPmjOtj kZ6Y3rhHIyPwgceYP915pd3X9AvwGIajbxhC4/N1dDsjQfElodZ/p3gw9sxE579tj5NK eRbQ==
X-Gm-Message-State: APt69E0aHfA6obFYZtq8uEyUefG5I/5HO156OXmPbArMnWpM/peDxElL fL9+NVJp/2v4DbXjtPicfXCss8s3IFz+7PqwVGQ=
X-Google-Smtp-Source: ADUXVKL+BAgxXchxMOpfiP0BfQ6Q+6bU0+FFZK1lx8VOrWeqOwY5NFICnWNcRo/w6GNZE7OZHc39t7GcYBhcoXGcVH4=
X-Received: by 2002:a24:4190:: with SMTP id b16-v6mr4263039itd.152.1529566848700; Thu, 21 Jun 2018 00:40:48 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a6b:878a:0:0:0:0:0 with HTTP; Thu, 21 Jun 2018 00:40:48 -0700 (PDT)
In-Reply-To: <CAErg=HEHGhADKr460195-M5L8VeKBT0Hj1LiwmoZbhTNqjpYvw@mail.gmail.com>
References: <DC2B6BEA-713F-468E-A374-97C3A01CFEAF@letsencrypt.org> <CAErg=HEHGhADKr460195-M5L8VeKBT0Hj1LiwmoZbhTNqjpYvw@mail.gmail.com>
From: Ivan Ristic <ivan.ristic@gmail.com>
Date: Thu, 21 Jun 2018 08:40:48 +0100
Message-ID: <CANHgQ8Fb7GqSBt+ptTTPOLoGe1jph_8kFm2CqT=6NgcdVFsViw@mail.gmail.com>
To: Ryan Sleevi <ryan-ietf@sleevi.com>
Cc: Roland Shoemaker <roland@letsencrypt.org>, IETF ACME <acme@ietf.org>, Hugo Landau <hlandau@devever.net>
Content-Type: multipart/alternative; boundary="000000000000ad5793056f22088d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/i-scjD2hBcmCG3RcfyAuk9Ttdk4>
Subject: Re: [Acme] Handling non-conformant CAA property names in ACME-CAA
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Jun 2018 07:40:52 -0000
Just to add to this, those CAs whose CAA processing follows the current spec will likely see all CAA policies with ACME-CAA extensions as invalid, potentially leading to operational issues. It's going to be the same with tools that inspect and validate CAA (e.g., our tool, Hardenize). On Wed, Jun 20, 2018 at 10:25 PM, Ryan Sleevi <ryan-ietf@sleevi.com> wrote: > On Wed, Jun 20, 2018 at 4:47 PM, Roland Shoemaker <roland@letsencrypt.org> > wrote: > >> As previously discussed on the list the two property names defined in >> draft-ietf-acme-caa, "validation-methods” and "account-uri”, do not conform >> to the ABNF syntax in RFC 6844 as they contain hyphens. 6844-bis fixes this >> by expanding the ABNF to be less restrictive but for now this doesn’t >> really address the problem at hand. >> >> Given it is probably unlikely that 6844-bis will be standardized any time >> soon is there any plan to make changes to draft-ietf-acme-caa to address >> this in the short term? Given we are not yet at the point where there is >> wide deployment/adoption of this feature can we take the easy route and >> simply remove the hyphens so that the document at least complies with the >> existing CAA document? >> > > It is not just that -bis would need to be finalized and standardized, but > that CAs would also have to adopt and recognize the syntax in -bis, > updating their 6844 implementations. Even if -bis were final tomorrow, that > would still take considerable time, given the normative differences, and so > I think aligning on an inter-operable expression is certainly preferable, > allowing it to work with both 6844 and -bis. > > _______________________________________________ > Acme mailing list > Acme@ietf.org > https://www.ietf.org/mailman/listinfo/acme > > -- Ivan
- Re: [Acme] Handling non-conformant CAA property n… Hugo Landau
- Re: [Acme] Handling non-conformant CAA property n… Tim Hollebeek
- Re: [Acme] Handling non-conformant CAA property n… Corey Bonnell
- Re: [Acme] Handling non-conformant CAA property n… Tim Hollebeek
- Re: [Acme] Handling non-conformant CAA property n… Jacob Hoffman-Andrews
- Re: [Acme] Handling non-conformant CAA property n… Salz, Rich
- Re: [Acme] Handling non-conformant CAA property n… Ryan Sleevi
- Re: [Acme] Handling non-conformant CAA property n… Tim Hollebeek
- Re: [Acme] Handling non-conformant CAA property n… Ivan Ristic
- Re: [Acme] Handling non-conformant CAA property n… Ryan Sleevi
- [Acme] Handling non-conformant CAA property names… Roland Shoemaker
- Re: [Acme] Handling non-conformant CAA property n… Salz, Rich
- Re: [Acme] Handling non-conformant CAA property n… Hugo Landau