[secdir] Security review of draft-ietf-acme-caa-08

"Hilarie Orman" <hilarie@purplestreak.com> Thu, 06 June 2019 17:53 UTC

Return-Path: <hilarie@purplestreak.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id CF3521200E9; Thu, 6 Jun 2019 10:53:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id GNAWWJd36YlT; Thu, 6 Jun 2019 10:53:02 -0700 (PDT)
Received: from out01.mta.xmission.com (out01.mta.xmission.com []) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A1AE9120165; Thu, 6 Jun 2019 10:52:55 -0700 (PDT)
Received: from in01.mta.xmission.com ([]) by out01.mta.xmission.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.87) (envelope-from <hilarie@purplestreak.com>) id 1hYwZK-0005RX-7D; Thu, 06 Jun 2019 11:52:54 -0600
Received: from [] (helo=rumpleteazer.rhmr.com) by in01.mta.xmission.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.87) (envelope-from <hilarie@purplestreak.com>) id 1hYwZJ-0006cG-Nd; Thu, 06 Jun 2019 11:52:54 -0600
Received: from rumpleteazer.rhmr.com (localhost []) by rumpleteazer.rhmr.com (8.14.4/8.14.4/Debian-4.1ubuntu1) with ESMTP id x56HqaV8031119; Thu, 6 Jun 2019 11:52:36 -0600
Received: (from hilarie@localhost) by rumpleteazer.rhmr.com (8.14.4/8.14.4/Submit) id x56HqZHh031114; Thu, 6 Jun 2019 11:52:35 -0600
Date: Thu, 6 Jun 2019 11:52:35 -0600
Message-Id: <201906061752.x56HqZHh031114@rumpleteazer.rhmr.com>
From: "Hilarie Orman" <hilarie@purplestreak.com>
Reply-To: "Hilarie Orman" <hilarie@purplestreak.com>
To: secdir@ietf.org
Cc: iesg@ietf.org, draft-ietf-acme-caa.all@tools.ietf.org
X-XM-SPF: eid=1hYwZJ-0006cG-Nd; ; ; mid=<201906061752.x56HqZHh031114@rumpleteazer.rhmr.com>; ; ; hst=in01.mta.xmission.com; ; ; ip=; ; ; frm=hilarie@purplestreak.com; ; ; spf=none
X-XM-AID: U2FsdGVkX1/6ryiUF7MXMKfrDl15Skoq
X-SA-Exim-Mail-From: hilarie@purplestreak.com
X-Spam-DCC: XMission; sa01 1397; Body=1 Fuz1=1 Fuz2=1
X-Spam-Combo: *;secdir@ietf.org
X-Spam-Timing: total 301 ms - load_scoreonly_sql: 0.03 (0.0%), signal_user_changed: 2.4 (0.8%), b_tie_ro: 1.70 (0.6%), parse: 0.54 (0.2%), extract_message_metadata: 2.5 (0.8%), get_uri_detail_list: 0.72 (0.2%), tests_pri_-1000: 2.2 (0.7%), tests_pri_-950: 1.05 (0.4%), tests_pri_-900: 0.89 (0.3%), tests_pri_-90: 16 (5.3%), check_bayes: 15 (4.9%), b_tokenize: 3.6 (1.2%), b_tok_get_all: 5 (1.7%), b_comp_prob: 1.56 (0.5%), b_tok_touch_all: 3.0 (1.0%), b_finish: 0.51 (0.2%), tests_pri_0: 268 (89.0%), check_dkim_signature: 0.51 (0.2%), check_dkim_adsp: 40 (13.1%), poll_dns_idle: 34 (11.3%), tests_pri_10: 1.76 (0.6%), tests_pri_500: 4.2 (1.4%), rewrite_mail: 0.00 (0.0%)
X-SA-Exim-Version: 4.2.1 (built Thu, 05 May 2016 13:38:54 -0600)
X-SA-Exim-Scanned: Yes (on in01.mta.xmission.com)
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/DnQ_R9Iux6x3ACUV5bQ-v8Ezwpc>
Subject: [secdir] Security review of draft-ietf-acme-caa-08
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Jun 2019 17:53:05 -0000

	                Security review of
     CAA Record Extensions for Account URI and ACME Method Binding

Do not be alarmed.  I have reviewed this document as part of the
security directorate's ongoing effort to review all IETF documents
being processed by the IESG.  These comments were written primarily
for the benefit of the security area directors.  Document editors and
WG chairs should treat these comments just like any other last call

The subject of this document is DNS records describing certificate
issuance policies and how the policies can be made more granular
through the use of two new parameters: accounturi and
validationmethods.  The first parameter designates particular accounts
that can act as CAs for a domain, the second parameter names the
methods that can be used for validation.

This version is laudable in its amplification of the security
considerations section.

Section 5.6 discusses the case in which the CA does not use DNSSEC
and is vulnerable to MITM attacks.  The final paragraph says that
the new parameters are still effective in this case.  I do not think
that it is the intent of the authors to support the idea of a CA
not using DNSSEC, but the text has a positive slant to it, which
might be interpreted as a recommendation.  Some slight wordsmithing
would be helpful.

As nearly as I can tell, there are no security problems.

The phrase "as such" is used 4 times in section 5.  It has no effect
on the meaning of the sentence, and I recommend universal deletion.