IETF Logo Mail Archive

Re: [Acme] CAA in draft-ietf-acme-client-01.txt

Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Wed, 29 July 2020 17:17 UTC

Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2365C3A0D0F for <acme@ietfa.amsl.com>; Wed, 29 Jul 2020 10:17:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LVhIimc5PK5X for <acme@ietfa.amsl.com>; Wed, 29 Jul 2020 10:17:54 -0700 (PDT)
Received: from mail-io1-xd34.google.com (mail-io1-xd34.google.com [IPv6:2607:f8b0:4864:20::d34]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D9DFE3A0D1B for <acme@ietf.org>; Wed, 29 Jul 2020 10:17:53 -0700 (PDT)
Received: by mail-io1-xd34.google.com with SMTP id a5so10089291ioa.13 for <acme@ietf.org>; Wed, 29 Jul 2020 10:17:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=DYNYA04E4Qotk3Rt1Sah+trX6TiEykxSALeLIMKcxz4=; b=DMbtsO3y92ic3agyz+Js2VAFRb/S1olb6Qj0lxz6Cul8F8fp2Qjy6lEbYG44F0TFoI bDfULiNejlrBjeAO3PgPr6/jzLfG/k4qagsSljJoMd2UfjaRoVc/tS1YpS2+w6Yb4wsJ +x+eI+eZDMM+IYu6bDkfbuG55IF+TrqbJdbSIqUDljyz0gN/Ir+fBH4mWbuv+lCRnHO2 vFYUYKAt8pN1T5J144qTXiMn83keknaJGk+uFt21sdROytKuNGqkC9Q05/KcK2rnePnl OtEdGRlx2d4XVNgihaTjT0mhKWLmdn5dByNOhT7uYlwFgliswX18b2DD7krigNmcXcZ6 mpHQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=DYNYA04E4Qotk3Rt1Sah+trX6TiEykxSALeLIMKcxz4=; b=K82LSG5lUigsYqUyI7nL4KPbAWd0WfqsRt43BuqtK837BvnDciYexgeo5zLaBk14QW /BCk52rf/SQU1k7mEb157/gFEz54EOxCCokTb7bvqqBc0urepmXY9MYZKfQ0Za21pbl4 FG/hEFIh8fA4Rpr5DuhnE7/rkjvKOkJ21/JSpuyO+fatLGfKUCmEyO2RK2Idxh1hYYAS f6uCutlk4ubTmiQ/2jY7FMbwjCvl00Aegm70tvji6xVGn9AmB91rkoMEp4FE/D0Z6mtw KCufUpF1wv4Dd7DRkhfWpSFXJps/H32M3x0He+Q+do8UWuA4GtWfK/4FhIWb6AXFCSRx Wnxw==
X-Gm-Message-State: AOAM531wMz/G5Kfd4eEmJhi9pFWAphbwccjrkJtK3gKLc3l5s2uScuZ8 RsNpumQ1TwnFB3YFSVwPnV6l/sJ9iWH05TToLMc=
X-Google-Smtp-Source: ABdhPJybhunzkyYfVLolZ5AWX0/YxK5VGZArFQWVlxyk8btNq44ewoItJzGlkJYuZ+0pT190v93P0SnWgkM5BdyG6ug=
X-Received: by 2002:a6b:be81:: with SMTP id o123mr21268751iof.64.1596043072116; Wed, 29 Jul 2020 10:17:52 -0700 (PDT)
MIME-Version: 1.0
References: <158981033392.26980.4468928473194139329@ietfa.amsl.com> <CAEa9xj4x16PYeX9jcBxdPmR08AkOEN6jZ5RfxQKQy0xgT-4CCw@mail.gmail.com> <CAHbuEH6Q8cPaFYwv_v-74z2JEZY5fqF3VmkVLOn+OdJCEmZhfw@mail.gmail.com> <CAF1ySfELcy=V9UJqkY8TLNF-mdk05owp5TSJ3xHTaXQaUgKdfg@mail.gmail.com> <9e2db5c2011348d280e3b00074f12ea8@x13pwhopdag1404.AMER.DELL.COM> <CAHbrMsCvnr+aDnC0zWpS6hnEh0ZB96Sy+wsSrV5Ueha=PntoOA@mail.gmail.com> <CAErg=HHF89ytL5F7BTaJk764eh4Jv2iTxUXS5smdro+WS+i3vA@mail.gmail.com> <CAHbrMsDCi8RtCpQWo5HhVBQx_2EVMMkJk1Jx0gQF_437bDxvww@mail.gmail.com>
In-Reply-To: <CAHbrMsDCi8RtCpQWo5HhVBQx_2EVMMkJk1Jx0gQF_437bDxvww@mail.gmail.com>
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
Date: Wed, 29 Jul 2020 13:17:16 -0400
Message-ID: <CAHbuEH7OYLbc8bASBA0F03Y-rhW7yFotU527f-qYhg47uHCtKw@mail.gmail.com>
To: Ben Schwartz <bemasc@google.com>
Cc: Ryan Sleevi <ryan-ietf@sleevi.com>, "Moriarty, Kathleen" <Kathleen.Moriarty@dell.com>, Roland Bracewell Shoemaker <roland@letsencrypt.org>, IETF ACME <acme@ietf.org>, Carl Mehner <c@cem.me>
Content-Type: multipart/alternative; boundary="0000000000005c1ed205ab97bc49"
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/mtyRmx_-9ApJuD2wxNKI6fPsr2Y>
Subject: Re: [Acme] CAA in draft-ietf-acme-client-01.txt
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Jul 2020 17:17:57 -0000

Thank you all for the good discussion.  It seems like a solid discussion
and reasoning towards removing the paragraph.  I'll post a new version soon.

Best regards,
Kathleen

On Wed, Jul 29, 2020 at 12:39 PM Ben Schwartz <bemasc@google.com> wrote:

> Thanks for the explanation.  I certainly agree that the paragraph as
> written is incorrect: fetching the CAA record from the DNS, and attempting
> to use it for validation, is not possible.  Removing the paragraph seems
> fine to me.
>
> My point was mostly that CAA transparency (even without any automation)
> could be interesting, but this draft probably isn't the place to speculate
> on that.
>
> On Wed, Jul 29, 2020 at 11:19 AM Ryan Sleevi <ryan-ietf@sleevi.com> wrote:
>
>> Ben: This text was intended towards auditors, and is indeed part of the
>> ongoing logging requirements imposed on CA. While it’s easy to imagine a
>> hypothetical world of CAA transparency and talk of it as if it was a thing,
>> there are a number of real and practical operational challenges that make
>> it more than “just” a log, particularly given the time-bounded nature of
>> DNSSEC validity and cryptographic material.
>>
>> The text in the draft, as is, is problematic, because that’s not been the
>> goal of CAA, and using it in such a manner, particularly clients, would be
>> actively harmful to the security value and deployability of CAA, and
>> further makes migration CAs unnecessarily difficult. This was a hugely
>> contentious barrier towards the deployment and requirement of CAA support
>> by CAs, and would have obvious lasting security harm.
>>
>> Concretely, imagine at Time 0, my CAA record says “foo.example”, and a
>> certificate with a validity period of 100 is issued. At Time 10, I cease
>> doing new business with Foo CA, and transition to Bar CA, with CAA record
>> of “bar.example”
>>
>> If clients check CAA, I would have to continue to permit Foo to be able
>> to issue new certificates from T=10 to T=100 in order to continue to use my
>> existing certificates. Further, I would have no technical means of
>> disclaiming or proving any misissuance; e.g.. due to Foo using validation
>> methods my organization did not wish to use, because my organization could
>> not adequately secure them. In such a world, it would be “my” fault, while
>> CAA provided a way to shift that burden to the CA performing the validation.
>>
>> This doomsday scenario doesn’t even require “most” clients to do so; just
>> “enough” and the interoperability risk of CAA would be too great and the
>> only obvious answer would be to not deploy it.
>>
>> In code signing, this is even more pronounced, because although the
>> validity period is T=0 to T=100, code signing that delegates to third party
>> CAs, as opposed to directly administered by the vendor, tends to
>> counter-sign such signatures with a timestamp, so that the signed artifact
>> can be used outside of its validity period. If the counter-signer checked
>> CAA, you “only” have to worry about keeping CAA around for [T=10, T=100],
>> but if the client verified CAA, you’d have to keep it around for [T=10,
>> T=infinity] in order to keep that artifact valid.
>>
>> As Roland states, CAA is between a site, the CA, and whomever supervises
>> that CA (e.g. auditors, supervisory bodies, etc). It provides a form of
>> dispute resolution about whether a certificate was authorized at the time
>> it was issued, in a consistent and interoperable way. The logs maintained
>> by CAs are primarily there to aid in that direct dispute resolution, which
>> is an inherently fuzzy and human process for what is expected to be a truly
>> exceptional situation, and anything more generic/more broadly would require
>> significantly greater complexity and design before it could be said to meet
>> any verification goals.
>>
>> I support the paragraphs removal.
>>
>> On Tue, Jul 28, 2020 at 4:12 PM Ben Schwartz <bemasc=
>> 40google.com@dmarc.ietf.org> wrote:
>>
>>> RFC 6844 Section 4.1 points out that logged DNSSEC-signed CAA records
>>> can be used when auditing CAs for mis-issuance.  The current draft says
>>> "CAA helps as anyone .... can verify that the CA used has been authorized",
>>> which is true, but only if "anyone" has access to a log of the signed CAA
>>> records used by the CA, and the domain is DNSSEC-signed.
>>>
>>> I would like it if CAs published such logs, but I don't know whether it
>>> is a common practice.
>>>
>>> On Tue, Jul 28, 2020 at 3:58 PM <Kathleen.Moriarty@dell.com> wrote:
>>>
>>>> Roland,
>>>>
>>>>
>>>>
>>>> Thank you, that’s very helpful  Any other opinions?  I’m very happy to
>>>> delete with consensus and appreciate the reviews on this particular issue
>>>> as well as on the draft.
>>>>
>>>>
>>>>
>>>> Best regards,
>>>>
>>>> Kathleen
>>>>
>>>>
>>>>
>>>> *From:* Roland Shoemaker <roland@letsencrypt.org>
>>>> *Sent:* Tuesday, July 28, 2020 3:27 PM
>>>> *To:* Kathleen Moriarty
>>>> *Cc:* Carl Mehner; Moriarty, Kathleen; IETF ACME
>>>> *Subject:* Re: [Acme] CAA in draft-ietf-acme-client-01.txt
>>>>
>>>>
>>>>
>>>> [EXTERNAL EMAIL]
>>>>
>>>> I think the disconnect here is between CAs and Relying Applications
>>>> (i.e. browsers) using CAA. The CA should use CAA to validate if they have
>>>> authority to issue, but the relying application must not because the CAA
>>>> records are only applicable at the time of issuance and there is no
>>>> guarantee that the current CAA records may match the records that were
>>>> present in the past (i.e. I may set my CAA record to allow "example-ca",
>>>> issue a certificate, and then set my CAA record to an empty string to
>>>> prevent issuance from anyone, the check is valid at the time of issuance,
>>>> but anyone trying to do post-issuance validation would fail since the
>>>> record has changed).
>>>>
>>>>
>>>>
>>>> I would support removing the paragraph.
>>>>
>>>>
>>>>
>>>> On Tue, Jul 28, 2020 at 7:57 AM Kathleen Moriarty <
>>>> kathleen.moriarty.ietf@gmail.com> wrote:
>>>>
>>>> Hello Carl,
>>>>
>>>>
>>>>
>>>> Thank you for your review and I apologize for my extremely tardy
>>>> response.
>>>>
>>>>
>>>>
>>>> On Mon, May 18, 2020 at 11:41 AM Carl Mehner <c@cem.me> wrote:
>>>>
>>>> Looking at the latest draft for acme-client, I noticed that it mentions
>>>> CAA:
>>>>    CAA helps as anyone verifying a certificate used for code signing can
>>>>    verify that the CA used has been authorized to issue certificates for
>>>>    that organization.
>>>>
>>>> However, in the CAA RFC it states:
>>>>    Relying Applications MUST
>>>>    NOT use CAA records as part of certificate validation.
>>>>
>>>> I propose removing the statement in acme-client about CAA that is
>>>> quoted above.
>>>>
>>>>
>>>>
>>>> I recall having gone through this conversation before to wind up where
>>>> the draft is now.  RFC8555 has the following:
>>>>
>>>>       caaIdentities (optional, array of string):  The hostnames that the
>>>>
>>>>       ACME server recognizes as referring to itself for the purposes of
>>>>
>>>>       CAA record validation as defined in [RFC6844 <https://tools.ietf.org/html/rfc6844>].  Each string MUST
>>>>
>>>>       represent the same sequence of ASCII code points that the server
>>>>
>>>>       will expect to see as the "Issuer Domain Name" in a CAA issue or
>>>>
>>>>       issuewild property tag.  This allows clients to determine the
>>>>
>>>>       correct issuer domain name to use when configuring CAA records.
>>>>
>>>>  Section 9.7.8 has the following:
>>>>
>>>>    Validation methods do not have to be compatible with ACME in order to
>>>>
>>>>    be registered.  For example, a CA might wish to register a validation
>>>>
>>>>    method to support its use with the ACME extensions to CAA [ACME-CAA <https://tools.ietf.org/html/rfc8555#ref-ACME-CAA>].
>>>>
>>>>
>>>>
>>>> Section 11.2 has the following:
>>>>
>>>>    An ACME-based CA must only use a resolver if it trusts the resolver
>>>>
>>>>    and every component of the network route by which it is accessed.
>>>>
>>>>    Therefore, it is RECOMMENDED that ACME-based CAs operate their own
>>>>
>>>>    DNSSEC-validating resolvers within their trusted network and use
>>>>
>>>>    these resolvers both for CAA record lookups and all record lookups in
>>>>
>>>>        furtherance of a challenge scheme (A, AAAA, TXT, etc.).
>>>>
>>>>
>>>>
>>>> As you point out, https://tools.ietf.org/html/rfc6844
>>>> <https://tools.ietf...org/html/rfc6844>, advises against its use.
>>>>
>>>>
>>>>
>>>> I am happy to edit to consensus.  If a change is needed, I can turn
>>>> that around quickly.
>>>>
>>>>
>>>>
>>>> Best regards,
>>>>
>>>> Kathleen
>>>>
>>>>
>>>>
>>>> -carl mehner
>>>>
>>>> _______________________________________________
>>>> Acme mailing list
>>>> Acme@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/acme
>>>>
>>>>
>>>>
>>>>
>>>> --
>>>>
>>>>
>>>>
>>>> Best regards,
>>>>
>>>> Kathleen
>>>>
>>>> _______________________________________________
>>>> Acme mailing list
>>>> Acme@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/acme
>>>>
>>>> _______________________________________________
>>>> Acme mailing list
>>>> Acme@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/acme
>>>>
>>> _______________________________________________
>>> Acme mailing list
>>> Acme@ietf.org
>>> https://www.ietf.org/mailman/listinfo/acme
>>>
>>

-- 

Best regards,
Kathleen

v2.19.0 | Report a Bug | By Email