IETF Logo Mail Archive

Re: [Acme] Barry Leiba's Discuss on draft-ietf-acme-caa-07: (with DISCUSS and COMMENT)

Barry Leiba <barryleiba@computer.org> Thu, 30 May 2019 21:33 UTC

Return-Path: <barryleiba@gmail.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9C224120158; Thu, 30 May 2019 14:33:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.699
X-Spam-Level:
X-Spam-Status: No, score=-1.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.198, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RtKAaLRrWbo0; Thu, 30 May 2019 14:33:06 -0700 (PDT)
Received: from mail-io1-f50.google.com (mail-io1-f50.google.com [209.85.166.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E186412004D; Thu, 30 May 2019 14:33:05 -0700 (PDT)
Received: by mail-io1-f50.google.com with SMTP id g16so6399976iom.9; Thu, 30 May 2019 14:33:05 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=Fm9fifoqGCNvD9i0QFL8Fwl5M7QagqZH2TcFX/kNGAo=; b=tN0jUo0hIOvd/7b6iLpUatCTJe2f/GB+9SKCGekZqDzHR798u+hZD8XGU+wU171Cys vIgaE1eCgI5krXL0UeYtzvCJn7EVipApA5YLLn2LtpJ96mUi2S1Xdw4Vyvl7W8Oaitf3 v3v3p2VQNDqBOqeIO02lfxEEmkX7B3niOK55F7HnqAfGCiwN6wOelwCFch8xjbHR/gtJ WM8RUTTXBtSkyi/Om34Zn/JJRH1AsJ2TSrAOYNwqQ/XJe88DE3jLpKPRv9TzA91is2Wk CUB/zBH9HNcak7mbEMYjfn6HylrqhakocxPOAtQQOLX96YrXViAORuXaHCJp3GRBAHG4 DVxg==
X-Gm-Message-State: APjAAAUPhbe5DD3ZpaDNRRqQFMN0SAfpogs2vIn9pcuj2O7MAmqV2N+C SPXYY1/9RUkrMfEgeUvNdlysqmG6Xnuz1vT+DKJtl7jD
X-Google-Smtp-Source: APXvYqzAlyUOIqrve00prI1KKBZ0H/votV56H0JEdSQhA4Fh+7aq2WPNicSXF9Ugo8jVKQ7DqNMZM8MdQb3NS31Skwk=
X-Received: by 2002:a6b:38c3:: with SMTP id f186mr4329291ioa.187.1559251984815; Thu, 30 May 2019 14:33:04 -0700 (PDT)
MIME-Version: 1.0
References: <155888292737.18381.13153334659362661935.idtracker@ietfa.amsl.com> <20190530174230.GA12694@axminster> <CALaySJJ1M8Rnp4wRAn3xgfV3JM5vDDBU6MAhRpikHNSPgvZmSQ@mail.gmail.com> <20190530205150.GA21655@axminster>
In-Reply-To: <20190530205150.GA21655@axminster>
From: Barry Leiba <barryleiba@computer.org>
Date: Thu, 30 May 2019 22:32:53 +0100
Message-ID: <CALaySJL+YUBon_2NOA4dgTbWohoO_hAv-Sf_wnaPz_sF-GF8=Q@mail.gmail.com>
To: Hugo Landau <hlandau@devever.net>
Cc: The IESG <iesg@ietf.org>, draft-ietf-acme-caa@ietf.org, Daniel McCarney <cpu@letsencrypt.org>, acme-chairs@ietf.org, acme@ietf.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/j3eVKCI6t7khQeQhGVcxSS0kHTA>
Subject: Re: [Acme] Barry Leiba's Discuss on draft-ietf-acme-caa-07: (with DISCUSS and COMMENT)
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 May 2019 21:33:08 -0000

OK; thanks again for taking the time for a nice explanation.  I
appreciate it, and it sounds like you have things in hand.  We're
good; carry on.  :-)

Barry

On Thu, May 30, 2019 at 9:52 PM Hugo Landau <hlandau@devever.net> wrote:
>
> > This all makes sense.  Would it be reasonable to recommend not just
> > "ca-", but "ca-<caidentifier>-"?  Experience has shown that if "flarb"
> > is a common thing among CAs (or whatever) and Verisign implements a
> > "ca-flarb", that will tend to leak and become an unregistered
> > standard... but that's far less likely to happen if it's
> > "ca-verisign-flarb".  I'm not suggesting any formalization nor
> > registry for the <caidentifier> part, but just the fact that it's
> > included tends to get us away from the problem that BCP 178 is
> > addressing.
> The important thing to consider is that these identifiers always occur
> in a context scoped to a specific CA:
>
>   example.com. IN CAA 0 issue "example.net; validationmethods=ca-foo"
>
> where example.net is some CA. So if you like, you can think of the
> validation method expressed here as being the tuple ("example.net",
> "ca-foo"). It's pretty much isomorphic to if, for example, one chose
> URIs instead along the lines of validationmethod://example.net/foo. But
> since all parameters on a CAA property are implicitly qualified by the
> CA's domain, this seemed very overkill.
>
> It is possible that different CAs will allocate the same identifiers to
> mean approximately the same thing — for example, if 10 different CAs
> elected to use "ca-email" for generic non-ACME email-based domain
> validation. They might also allocate the same identifiers to mean very
> different things. The premise of the ca- prefix, however, is that an
> entity requesting certificates is willing to establish a relationship
> with a CA in a non-automated fashion. In this case, that means reading a
> CA's documentation on supported validationmethods identifiers and
> understanding their semantics.
>
> I think this is reasonable since people don't change CAs frequently or
> automatically, or at least in the non-ACME cases. With ACME things can
> be automated much more — and in that case, the validationmethods
> identifiers used are fully standardised.
>
> So "identifier cross-pollination" between CAs is I think a non-issue.
> What I think you're trying to express is the possibility that e.g.
> Verisign has some method "ca-foo" and Digicert has some very different
> method also called "ca-foo", and at some point Digicert wants to let
> people refer to Verisign's "ca-foo" method.
>
> But reusing the same identifier isn't useful for the reasons given
> above; switching CAs in the non-ACME case is necessarily a manual
> process and will necessitate having some understanding of a CA's
> published (natural language) policies.
>
> Moreover, enabling CAs to reference validation method identifiers used
> by other CAs would undermine the point of the prefix, which is to be
> explicitly local to the specific CA whose domain is given.
>
> Perhaps most seriously though, this would make the first CA vulnerable
> to the possibility that the second CA subseqently changes their policy
> for the given identifier. In practice, CAs are extremely unlikely to
> want to create policy dependencies on other legal entities like this. It
> would be tantamount to a CA's CPS section on validation saying "We do
> the same thing Verisign does."
>
> So, if anything I think a scheme such as "ca-verisign-foo" is riskier.
>
> > > The CAA specification allows parameters to be attached to CAA
> > > properties, but this is a CA-specific namespace. Per CAA, there is no
> > > IANA registry for CAA parameters, and a CA is not required to give the
> > > meaning given in this I-D to "accounturi" or "validationmethods"
> > > parameters, unless it chooses to implement this RFC. See "Restrictions
> > > Ineffective without CA Recognition".
> >
> > OK; no longer a DISCUSS, and no need for further response, but if you
> > can re-word that to explain the situation a bit better, that'd be
> > great.
> Tweaked it a little.

v2.23.0 | Report a Bug | By Email