Re: [Acme] CAA in draft-ietf-acme-client-01.txt
Ben Schwartz <bemasc@google.com> Wed, 29 July 2020 16:39 UTC
Return-Path: <bemasc@google.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6665E3A0C82 for <acme@ietfa.amsl.com>; Wed, 29 Jul 2020 09:39:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.599
X-Spam-Level:
X-Spam-Status: No, score=-17.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NI6qMD5UY-nD for <acme@ietfa.amsl.com>; Wed, 29 Jul 2020 09:39:43 -0700 (PDT)
Received: from mail-wm1-x336.google.com (mail-wm1-x336.google.com [IPv6:2a00:1450:4864:20::336]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5F2603A0B8A for <acme@ietf.org>; Wed, 29 Jul 2020 09:39:43 -0700 (PDT)
Received: by mail-wm1-x336.google.com with SMTP id k20so3603351wmi.5 for <acme@ietf.org>; Wed, 29 Jul 2020 09:39:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=rxAeLt0gR7MLkyv3959NbPTi3O4jWGunDNR8m3CbsNg=; b=YZFyC1tdsfRUFoUPuqECfuEJXW+aGXezN2973VPyzgmMLdbr6UwMP7Rw9aQg7MAtoR GLhuxp/qt6hrZPJPjb4ZxYmcW1VyTY5IDWzMNg6LMi7hlc+JI2NFBOfUoPmDWpOTx1sX fJ+RV5NTykbe9J0Pff8yM7aULbsvUAgjMzA57025vTkdortpzk6uZTciKLKUl3CLl3sr Yl3f8QF9RKhsX6boXT4gsJcZQfqFd2AhxLF9YQZVeUj1VeUNuRy8/f5SYlfcOZb4tCLI jZDn8M4s3Y4CU61VJQfo6zpj5cE08WTpJEYMi03ptduPBgmv8Nk7DjZOad/ksWbRv/n2 sbuA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=rxAeLt0gR7MLkyv3959NbPTi3O4jWGunDNR8m3CbsNg=; b=tZp5ydIUyFV2ufkEhd6DvD0v/1C8XKjVmtOj1OPOLB+uI8wM/PyWfs1UPjcMBPINxA rUHWScUZkQJ+rykMzGScoyMKk+Fgj7QfU2fbPjcu0lFdm7FIeF+pGHNNTXAbKFvEfEh+ D0FmdM48aju6pOl01DySIJjOeiKaJxZr1Sc3iM3WnAOtHhXY3K6fn93WxjLLL+b8tvZ8 5GjiHwTNdQueDQffEAyE4u8Qra/Ky/Dm5ZGPad3pV+8IyNiC9xo9sfxlA/A8ZFvLGr0J k80sxzNM9xlDy0T89o25Rdr7rsKiDGAU8z3emUGtjl7SN+HtE8JJRRwO7A5r7OnW3KTn osNg==
X-Gm-Message-State: AOAM530ngI+3rGyXEAItpic4ZwoNW+saD0v7Ou1UWzeD5SULC+85HODA qKlj5y7NdquXIowKoEDDj9x5BOrnBJBy2pjJ8HUZNw==
X-Google-Smtp-Source: ABdhPJyvXWo8SzestXyBS9AjUqxnqVz4AYC1MncAyCZFF085z6RiTZTOvCEhv5LZu0QaQDjF5YjjdStBZ/diaFmE4ec=
X-Received: by 2002:a1c:49c6:: with SMTP id w189mr9007943wma.97.1596040781389; Wed, 29 Jul 2020 09:39:41 -0700 (PDT)
MIME-Version: 1.0
References: <158981033392.26980.4468928473194139329@ietfa.amsl.com> <CAEa9xj4x16PYeX9jcBxdPmR08AkOEN6jZ5RfxQKQy0xgT-4CCw@mail.gmail.com> <CAHbuEH6Q8cPaFYwv_v-74z2JEZY5fqF3VmkVLOn+OdJCEmZhfw@mail.gmail.com> <CAF1ySfELcy=V9UJqkY8TLNF-mdk05owp5TSJ3xHTaXQaUgKdfg@mail.gmail.com> <9e2db5c2011348d280e3b00074f12ea8@x13pwhopdag1404.AMER.DELL.COM> <CAHbrMsCvnr+aDnC0zWpS6hnEh0ZB96Sy+wsSrV5Ueha=PntoOA@mail.gmail.com> <CAErg=HHF89ytL5F7BTaJk764eh4Jv2iTxUXS5smdro+WS+i3vA@mail.gmail.com>
In-Reply-To: <CAErg=HHF89ytL5F7BTaJk764eh4Jv2iTxUXS5smdro+WS+i3vA@mail.gmail.com>
From: Ben Schwartz <bemasc@google.com>
Date: Wed, 29 Jul 2020 12:39:29 -0400
Message-ID: <CAHbrMsDCi8RtCpQWo5HhVBQx_2EVMMkJk1Jx0gQF_437bDxvww@mail.gmail.com>
To: Ryan Sleevi <ryan-ietf@sleevi.com>
Cc: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>, Kathleen.Moriarty@dell.com, Roland Bracewell Shoemaker <roland@letsencrypt.org>, acme@ietf.org, c@cem.me
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="000000000000db439805ab9733a8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/lymRDbj11SYTidPVQ_XSW05X83M>
Subject: Re: [Acme] CAA in draft-ietf-acme-client-01.txt
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Jul 2020 16:39:47 -0000
Thanks for the explanation. I certainly agree that the paragraph as written is incorrect: fetching the CAA record from the DNS, and attempting to use it for validation, is not possible. Removing the paragraph seems fine to me. My point was mostly that CAA transparency (even without any automation) could be interesting, but this draft probably isn't the place to speculate on that. On Wed, Jul 29, 2020 at 11:19 AM Ryan Sleevi <ryan-ietf@sleevi.com> wrote: > Ben: This text was intended towards auditors, and is indeed part of the > ongoing logging requirements imposed on CA. While it’s easy to imagine a > hypothetical world of CAA transparency and talk of it as if it was a thing, > there are a number of real and practical operational challenges that make > it more than “just” a log, particularly given the time-bounded nature of > DNSSEC validity and cryptographic material. > > The text in the draft, as is, is problematic, because that’s not been the > goal of CAA, and using it in such a manner, particularly clients, would be > actively harmful to the security value and deployability of CAA, and > further makes migration CAs unnecessarily difficult. This was a hugely > contentious barrier towards the deployment and requirement of CAA support > by CAs, and would have obvious lasting security harm. > > Concretely, imagine at Time 0, my CAA record says “foo.example”, and a > certificate with a validity period of 100 is issued. At Time 10, I cease > doing new business with Foo CA, and transition to Bar CA, with CAA record > of “bar.example” > > If clients check CAA, I would have to continue to permit Foo to be able to > issue new certificates from T=10 to T=100 in order to continue to use my > existing certificates. Further, I would have no technical means of > disclaiming or proving any misissuance; e.g.. due to Foo using validation > methods my organization did not wish to use, because my organization could > not adequately secure them. In such a world, it would be “my” fault, while > CAA provided a way to shift that burden to the CA performing the validation. > > This doomsday scenario doesn’t even require “most” clients to do so; just > “enough” and the interoperability risk of CAA would be too great and the > only obvious answer would be to not deploy it. > > In code signing, this is even more pronounced, because although the > validity period is T=0 to T=100, code signing that delegates to third party > CAs, as opposed to directly administered by the vendor, tends to > counter-sign such signatures with a timestamp, so that the signed artifact > can be used outside of its validity period. If the counter-signer checked > CAA, you “only” have to worry about keeping CAA around for [T=10, T=100], > but if the client verified CAA, you’d have to keep it around for [T=10, > T=infinity] in order to keep that artifact valid. > > As Roland states, CAA is between a site, the CA, and whomever supervises > that CA (e.g. auditors, supervisory bodies, etc). It provides a form of > dispute resolution about whether a certificate was authorized at the time > it was issued, in a consistent and interoperable way. The logs maintained > by CAs are primarily there to aid in that direct dispute resolution, which > is an inherently fuzzy and human process for what is expected to be a truly > exceptional situation, and anything more generic/more broadly would require > significantly greater complexity and design before it could be said to meet > any verification goals. > > I support the paragraphs removal. > > On Tue, Jul 28, 2020 at 4:12 PM Ben Schwartz <bemasc= > 40google.com@dmarc.ietf.org> wrote: > >> RFC 6844 Section 4.1 points out that logged DNSSEC-signed CAA records can >> be used when auditing CAs for mis-issuance. The current draft says "CAA >> helps as anyone .... can verify that the CA used has been authorized", >> which is true, but only if "anyone" has access to a log of the signed CAA >> records used by the CA, and the domain is DNSSEC-signed. >> >> I would like it if CAs published such logs, but I don't know whether it >> is a common practice. >> >> On Tue, Jul 28, 2020 at 3:58 PM <Kathleen.Moriarty@dell.com> wrote: >> >>> Roland, >>> >>> >>> >>> Thank you, that’s very helpful Any other opinions? I’m very happy to >>> delete with consensus and appreciate the reviews on this particular issue >>> as well as on the draft. >>> >>> >>> >>> Best regards, >>> >>> Kathleen >>> >>> >>> >>> *From:* Roland Shoemaker <roland@letsencrypt.org> >>> *Sent:* Tuesday, July 28, 2020 3:27 PM >>> *To:* Kathleen Moriarty >>> *Cc:* Carl Mehner; Moriarty, Kathleen; IETF ACME >>> *Subject:* Re: [Acme] CAA in draft-ietf-acme-client-01.txt >>> >>> >>> >>> [EXTERNAL EMAIL] >>> >>> I think the disconnect here is between CAs and Relying Applications >>> (i.e. browsers) using CAA. The CA should use CAA to validate if they have >>> authority to issue, but the relying application must not because the CAA >>> records are only applicable at the time of issuance and there is no >>> guarantee that the current CAA records may match the records that were >>> present in the past (i.e. I may set my CAA record to allow "example-ca", >>> issue a certificate, and then set my CAA record to an empty string to >>> prevent issuance from anyone, the check is valid at the time of issuance, >>> but anyone trying to do post-issuance validation would fail since the >>> record has changed). >>> >>> >>> >>> I would support removing the paragraph. >>> >>> >>> >>> On Tue, Jul 28, 2020 at 7:57 AM Kathleen Moriarty < >>> kathleen.moriarty.ietf@gmail.com> wrote: >>> >>> Hello Carl, >>> >>> >>> >>> Thank you for your review and I apologize for my extremely tardy >>> response. >>> >>> >>> >>> On Mon, May 18, 2020 at 11:41 AM Carl Mehner <c@cem.me> wrote: >>> >>> Looking at the latest draft for acme-client, I noticed that it mentions >>> CAA: >>> CAA helps as anyone verifying a certificate used for code signing can >>> verify that the CA used has been authorized to issue certificates for >>> that organization. >>> >>> However, in the CAA RFC it states: >>> Relying Applications MUST >>> NOT use CAA records as part of certificate validation. >>> >>> I propose removing the statement in acme-client about CAA that is quoted >>> above. >>> >>> >>> >>> I recall having gone through this conversation before to wind up where >>> the draft is now. RFC8555 has the following: >>> >>> caaIdentities (optional, array of string): The hostnames that the >>> >>> ACME server recognizes as referring to itself for the purposes of >>> >>> CAA record validation as defined in [RFC6844 <https://tools.ietf.org/html/rfc6844>]. Each string MUST >>> >>> represent the same sequence of ASCII code points that the server >>> >>> will expect to see as the "Issuer Domain Name" in a CAA issue or >>> >>> issuewild property tag. This allows clients to determine the >>> >>> correct issuer domain name to use when configuring CAA records. >>> >>> Section 9.7.8 has the following: >>> >>> Validation methods do not have to be compatible with ACME in order to >>> >>> be registered. For example, a CA might wish to register a validation >>> >>> method to support its use with the ACME extensions to CAA [ACME-CAA <https://tools.ietf.org/html/rfc8555#ref-ACME-CAA>]. >>> >>> >>> >>> Section 11.2 has the following: >>> >>> An ACME-based CA must only use a resolver if it trusts the resolver >>> >>> and every component of the network route by which it is accessed. >>> >>> Therefore, it is RECOMMENDED that ACME-based CAs operate their own >>> >>> DNSSEC-validating resolvers within their trusted network and use >>> >>> these resolvers both for CAA record lookups and all record lookups in >>> >>> furtherance of a challenge scheme (A, AAAA, TXT, etc.). >>> >>> >>> >>> As you point out, https://tools.ietf.org/html/rfc6844 >>> <https://tools.ietf...org/html/rfc6844>, advises against its use. >>> >>> >>> >>> I am happy to edit to consensus. If a change is needed, I can turn that >>> around quickly. >>> >>> >>> >>> Best regards, >>> >>> Kathleen >>> >>> >>> >>> -carl mehner >>> >>> _______________________________________________ >>> Acme mailing list >>> Acme@ietf.org >>> https://www.ietf.org/mailman/listinfo/acme >>> >>> >>> >>> >>> -- >>> >>> >>> >>> Best regards, >>> >>> Kathleen >>> >>> _______________________________________________ >>> Acme mailing list >>> Acme@ietf.org >>> https://www.ietf.org/mailman/listinfo/acme >>> >>> _______________________________________________ >>> Acme mailing list >>> Acme@ietf.org >>> https://www.ietf.org/mailman/listinfo/acme >>> >> _______________________________________________ >> Acme mailing list >> Acme@ietf.org >> https://www.ietf.org/mailman/listinfo/acme >> >
- [Acme] I-D Action: draft-ietf-acme-client-01.txt internet-drafts
- [Acme] CAA in draft-ietf-acme-client-01.txt Carl Mehner
- Re: [Acme] CAA in draft-ietf-acme-client-01.txt Kathleen Moriarty
- Re: [Acme] CAA in draft-ietf-acme-client-01.txt Roland Shoemaker
- Re: [Acme] CAA in draft-ietf-acme-client-01.txt Kathleen.Moriarty
- Re: [Acme] CAA in draft-ietf-acme-client-01.txt Ben Schwartz
- Re: [Acme] CAA in draft-ietf-acme-client-01.txt Ryan Sleevi
- Re: [Acme] CAA in draft-ietf-acme-client-01.txt Ben Schwartz
- Re: [Acme] CAA in draft-ietf-acme-client-01.txt Kathleen Moriarty