Re: [Acme] Use of CAA in ACME
Hugo Landau <hlandau@devever.net> Thu, 04 February 2016 03:15 UTC
Return-Path: <hlandau@devever.net>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 640751B38EE for <acme@ietfa.amsl.com>; Wed, 3 Feb 2016 19:15:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.601
X-Spam-Level:
X-Spam-Status: No, score=-0.601 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, TVD_PH_BODY_ACCOUNTS_PRE=0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bbhndTLn9fdS for <acme@ietfa.amsl.com>; Wed, 3 Feb 2016 19:15:10 -0800 (PST)
Received: from umbriel.devever.net (umbriel.devever.net [149.202.51.241]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 00C951B38EC for <acme@ietf.org>; Wed, 3 Feb 2016 19:15:09 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by umbriel.devever.net (Postfix) with ESMTP id 0F4D11C60F; Thu, 4 Feb 2016 04:15:08 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=devever.net; h= user-agent:in-reply-to:content-disposition:content-type :content-type:mime-version:references:message-id:subject:subject :from:from:date:date:received:received; s=mimas; t=1454555707; x=1472745068; bh=+AM9REM6MiHSMNcAV82fSp/HzkYiMGo05CLf1E2AhBQ=; b= bqRujQ5FIIb7QXolp/973/03S3Vq5HKIQGMH7DTQxWaFismOCbiua73mZDnQ08Wf 4PEOH8VlDL5+j+fThg5bDM7fDqsTEJKB1QssMGI8fScS9BW6c1t2oORwyPyWRwXT QpzXVIlclPXXJBY5TAeJZ0S3zbC2FQGA8akBLovjBYmShexa9gFK//MxPQ9hjerj fxKqu1zeIkSobFOv8h4t3TtmFo3qevdVlbvbkxXSYlKbUoahFRlxGzug4mXUE/vW 41rIKdL6a85AwzotRrr+ASX8GQomlrT8GerYrj+2Lh0x/NCiJq6VA2cBt3IgfgOi xXUPo1aUQUHgxs2F3dBETw==
Received: from umbriel.devever.net ([127.0.0.1]) by localhost (umbriel.devever.net [127.0.0.1]) (amavisd-new, port 10026) with LMTP id vxNFlk7geN8Q; Thu, 4 Feb 2016 04:15:07 +0100 (CET)
Received: from andover (localhost [127.0.0.1]) by umbriel.devever.net (Postfix) with SMTP id C9C1F1C60D; Thu, 4 Feb 2016 04:15:07 +0100 (CET)
Date: Thu, 04 Feb 2016 03:15:07 +0000
From: Hugo Landau <hlandau@devever.net>
To: Phillip Hallam-Baker <phill@hallambaker.com>
Message-ID: <20160204031507.GA13965@andover>
References: <CAMm+LwjPUSWeFAXYdrt0RCHfHvgCuzn54iSgF+-fSKsh1QzjnA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CAMm+LwjPUSWeFAXYdrt0RCHfHvgCuzn54iSgF+-fSKsh1QzjnA@mail.gmail.com>
User-Agent: Mutt/1.5.24 (2015-08-30)
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/zEO4RA9aPe6uKb4yzT6rWMlNl84>
Cc: acme@ietf.org
Subject: Re: [Acme] Use of CAA in ACME
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Feb 2016 03:15:12 -0000
So here's a list of issues to be satisfied for CAA: 1. Maybe say that ACME CAs SHOULD use CAA. 2. Provide a standardized ACME account key binding parameter for CAA records. 3. Allow discovery of the correct ACME CA 'issuer' value from an ACME directory URL. 4. If we suppose that the CAB Forum determination that challenges should be nondeterministic might someday get overturned, there are various ways issuance could be authorized via DNS. One is using CAA. Due to the nature of CAA, this would authorize an account key thumbprint for an entire domain hierarchy. My main reservation about this approach is that it changes the CAA semantics from being necessary to sufficient. I can't immediately see any issue with this, but it seems like a substantial change, and to some extent is an 'overloading' of the CAA record. Another possibility is modifying dns-01 to be deterministic, or doing things with DANE, however this would only apply to a single name. 5. If I think I am understanding this right, the idea is that an enterprise runs its own ACME server which essentially proxies requests to the real ACME server. I really don't think the CAA record is the right place for this. The CAA record is a means of communication from a domain to CA, not from a domain to its subsidiary components. I think what you are essentially saying is that ACME clients might be modified so that they use either a configured or autodiscovered organizationally specific directory URL. You could reuse the CAA discovery rules of finding the nearest CAA record in the tree, only for something like this: _acme-server.example.com. IN TXT "https://foo.example.com/directory" Whether or not CAA is used, a directory URL should be used and not a domain name. Note that the "domain; params" syntax applies only to the issue and issuewild tags. iodef, for example, uses an URI. I covered #3 in PR#72. I have an unsubmitted change here <https://github.com/hlandauf/acme/commit/3a91fccd2fef8fc5a966beac95837500c32c2788> which covers #1, #2 and #4. I haven't submitted it yet because I'm a bit ambivalent about the sufficiency part. Might want to consider that separately. Hugo Landau On Wed, Feb 03, 2016 at 02:17:24PM -0500, Phillip Hallam-Baker wrote: > I would like to propose that we use RFC6844 to allow clients to > discover the CA to direct requests to. > > A DNS name MAY have multiple CAA records. Each record has a tag > specifying the purpose and a text field. So we would add in a text > field for ACME. > > The simplest version would be something of the form: > > example.com CAA 0 acme "comodo.com" > > > The typical enterprise case has the request going to an LRA because > that is where the account key pair is held and that is what did the > validation against the CA. > > I am thinking through that part. > > _______________________________________________ > Acme mailing list > Acme@ietf.org > https://www.ietf.org/mailman/listinfo/acme
- [Acme] Use of CAA in ACME Phillip Hallam-Baker
- Re: [Acme] Use of CAA in ACME Richard Barnes
- Re: [Acme] Use of CAA in ACME Hugo Landau