Re: [ietf-smtp] DANE / Fwd: ACTION REQUIRED: Renew these Let's Encrypt certificates by March 4

Phil Pennock <ietf-smtp-phil@spodhuis.org> Sun, 08 March 2020 11:43 UTC

Return-Path: <ietf-smtp-phil@spodhuis.org>
X-Original-To: ietf-smtp@ietfa.amsl.com
Delivered-To: ietf-smtp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A03833A0B07 for <ietf-smtp@ietfa.amsl.com>; Sun, 8 Mar 2020 04:43:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=spodhuis.org header.b=YbHY8w9h; dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=spodhuis.org header.b=YqkfJVwH
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WekAJx3w8pIp for <ietf-smtp@ietfa.amsl.com>; Sun, 8 Mar 2020 04:43:06 -0700 (PDT)
Received: from mx.spodhuis.org (smtp.spodhuis.org [IPv6:2a02:898:31:0:48:4558:736d:7470]) (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 92A3B3A0B02 for <ietf-smtp@ietf.org>; Sun, 8 Mar 2020 04:43:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=spodhuis.org; s=d202003; h=In-Reply-To:Content-Type:MIME-Version:References :Message-ID:Subject:To:From:Date:Sender:Reply-To:Cc:Content-Transfer-Encoding :Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=/lW1P3LYM8OFEJ0vr1DYA/QfL/KkXE2R3Ke2tZbXGck=; b=YbHY8w9hYsLZMyv2AQINwLUKwl oy3nr+XKkSlIsXrg2aCbDYlPpdCQjEj10Ome3Li4I5Nv+HjT/Fu+YZLzOu6LR7zpOSK/LYrFka+ac zxkxjfmb/bflmtL5YiFmy3o84mYwifxUW2kLpi0bj/O1hCahSe+bsUpsS3ZhhHrFHpiY106nrg10y o6rtrPHI7+x9aYp49EfgsFwK1tlx2ag6RYADPyWMNFjMo4he535ktuAE1o2YuPmYhQOns8v1U/XBp 0ARXwTfcBkUIvsLo7mJtrU5WZL6XLms/kKv43P6lyCKzXAKcwFFPbUCdVLykLKEQWjmhMJe9p0V/w vl77JIlw==;
DKIM-Signature: v=1; a=ed25519-sha256; q=dns/txt; c=relaxed/relaxed; d=spodhuis.org; s=d202003e2; h=In-Reply-To:Content-Type:MIME-Version: References:Message-ID:Subject:To:From:Date:Sender:Reply-To:Cc: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=/lW1P3LYM8OFEJ0vr1DYA/QfL/KkXE2R3Ke2tZbXGck=; b=YqkfJVwH7lFlgaAaN4Zv7MWE7 8VCTnj5N06utflSwvSNfVQTelHa/bbTwS/V/NMV9q+LzYAFk1X6cBi+6pQuAA==;
Received: from authenticated user by smtp.spodhuis.org with esmtpsa (TLSv1.3:TLS_AES_256_GCM_SHA384:256) id 1jAuKj-000Egn-TP; Sun, 08 Mar 2020 11:43:02 +0000
Date: Sun, 8 Mar 2020 07:42:57 -0400
From: Phil Pennock <ietf-smtp-phil@spodhuis.org>
To: ietf-smtp@ietf.org
Message-ID: <20200308114257.GA30913@fullerene>
Mail-Followup-To: ietf-smtp@ietf.org
References: <20200304003828.7D2FC154D27A@ary.qy> <20200303210604.GA18965@fullerene> <60c385bc383a7cdea8b72aab454e2bb9e672b00c.camel@aegee.org> <20200307092946.GN7977@straasha.imrryr.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20200307092946.GN7977@straasha.imrryr.org>
OpenPGP: url=https://www.security.spodhuis.org/PGP/keys/keys-2013rsa-2020cv25519.asc
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf-smtp/xfCfNXbcq3894r4XccClmlG6nSY>
Subject: Re: [ietf-smtp] DANE / Fwd: ACTION REQUIRED: Renew these Let's Encrypt certificates by March 4
X-BeenThere: ietf-smtp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Discussion of issues related to Simple Mail Transfer Protocol \(SMTP\) \[RFC 821, RFC 2821, RFC 5321\]" <ietf-smtp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf-smtp>, <mailto:ietf-smtp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf-smtp/>
List-Post: <mailto:ietf-smtp@ietf.org>
List-Help: <mailto:ietf-smtp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf-smtp>, <mailto:ietf-smtp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 08 Mar 2020 11:43:09 -0000

On 2020-03-07 at 04:29 -0500, Viktor Dukhovni wrote:
> Here opinions differ.  Trusting a CA that validates domain control as
> weakly as Let's Encrypt would not be my choice.  But with half the
> world trusting Let's Encrypt's "proofs" of domain control, you can
> perhaps be comfortable in knowing that you're not alone...

If that's the concern, then tell Let's Encrypt which accounts are
allowed to issue certificates for your domain.

Eg, in the zonefile for `spodhuis.org` I have:

@  CAA  0  issue "globnix.net"
@  CAA  0  issue "letsencrypt.org\; accounturi=https://acme-v01.api.letsencrypt.org/acme/reg/1134193"
@  CAA  0  issue "letsencrypt.org\; accounturi=https://acme-staging-v02.api.letsencrypt.org/acme/acct/12581965"
@  CAA  0  issue "letsencrypt.org\; accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/79096293"
@  CAA  0  issuewild ";"
@  CAA  0  iodef "mailto:security@spodhuis.org"

See RFC 8657 for more on `accounturi`.

(Ignore my in-house CA `globnix.net`; and I recommend comments in the
 zonefile or whatever you use, to index those account numbers and keep
 things straight.)

-Phil