[secdir] Security review of draft-ietf-acme-caa-06

"Hilarie Orman" <hilarie@purplestreak.com> Wed, 10 April 2019 06:44 UTC

Return-Path: <hilarie@purplestreak.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7C51612029E; Tue, 9 Apr 2019 23:44:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yY6G2-ioKYDy; Tue, 9 Apr 2019 23:44:28 -0700 (PDT)
Received: from out02.mta.xmission.com (out02.mta.xmission.com [166.70.13.232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D0035120071; Tue, 9 Apr 2019 23:44:28 -0700 (PDT)
Received: from in01.mta.xmission.com ([166.70.13.51]) by out02.mta.xmission.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.87) (envelope-from <hilarie@purplestreak.com>) id 1hE6xz-0004Tr-JY; Wed, 10 Apr 2019 00:44:15 -0600
Received: from [166.70.232.207] (helo=rumpleteazer.rhmr.com) by in01.mta.xmission.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.87) (envelope-from <hilarie@purplestreak.com>) id 1hE6xz-0001Ay-2P; Wed, 10 Apr 2019 00:44:15 -0600
Received: from rumpleteazer.rhmr.com (localhost [127.0.0.1]) by rumpleteazer.rhmr.com (8.14.4/8.14.4/Debian-4.1ubuntu1) with ESMTP id x3A6iBGx011576; Wed, 10 Apr 2019 00:44:11 -0600
Received: (from hilarie@localhost) by rumpleteazer.rhmr.com (8.14.4/8.14.4/Submit) id x3A6iBgD011575; Wed, 10 Apr 2019 00:44:11 -0600
Date: Wed, 10 Apr 2019 00:44:11 -0600
Message-Id: <201904100644.x3A6iBgD011575@rumpleteazer.rhmr.com>
From: "Hilarie Orman" <hilarie@purplestreak.com>
Reply-To: "Hilarie Orman" <hilarie@purplestreak.com>
To: iesg@ietf.org, secdir@ietf.org, draft-ietf-acme-caa.all@tools.ietf.org
X-XM-SPF: eid=1hE6xz-0001Ay-2P; ; ; mid=<201904100644.x3A6iBgD011575@rumpleteazer.rhmr.com>; ; ; hst=in01.mta.xmission.com; ; ; ip=166.70.232.207; ; ; frm=hilarie@purplestreak.com; ; ; spf=none
X-XM-AID: U2FsdGVkX1/UWXFtybjlqHVwqeSbjyL7
X-SA-Exim-Connect-IP: 166.70.232.207
X-SA-Exim-Mail-From: hilarie@purplestreak.com
X-Spam-DCC: XMission; sa03 1397; Body=1 Fuz1=1 Fuz2=1
X-Spam-Combo: ***;iesg@ietf.org, secdir@ietf.org, draft-ietf-acme-caa.all@tools.ietf.org
X-Spam-Relay-Country:
X-Spam-Timing: total 251 ms - load_scoreonly_sql: 0.04 (0.0%), signal_user_changed: 3.2 (1.3%), b_tie_ro: 2.4 (0.9%), parse: 0.88 (0.4%), extract_message_metadata: 3.8 (1.5%), get_uri_detail_list: 1.04 (0.4%), tests_pri_-1000: 2.3 (0.9%), tests_pri_-950: 1.21 (0.5%), tests_pri_-900: 0.91 (0.4%), tests_pri_-90: 16 (6.5%), check_bayes: 15 (6.0%), b_tokenize: 4.2 (1.7%), b_tok_get_all: 5 (2.0%), b_comp_prob: 1.44 (0.6%), b_tok_touch_all: 2.7 (1.1%), b_finish: 0.62 (0.2%), tests_pri_0: 213 (85.0%), check_dkim_signature: 0.33 (0.1%), check_dkim_adsp: 6 (2.3%), poll_dns_idle: 4.0 (1.6%), tests_pri_10: 1.62 (0.6%), tests_pri_500: 4.1 (1.6%), rewrite_mail: 0.00 (0.0%)
X-SA-Exim-Version: 4.2.1 (built Thu, 05 May 2016 13:38:54 -0600)
X-SA-Exim-Scanned: Yes (on in01.mta.xmission.com)
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/LgCBA13vSiTJrj6zQefGmQYkZEw>
Subject: [secdir] Security review of draft-ietf-acme-caa-06
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Apr 2019 06:44:31 -0000

	                Security review of
     CAA Record Extensions for Account URI and ACME Method Binding
                         draft-ietf-acme-caa-06


Do not be alarmed.  I have reviewed this document as part of the
security directorate's ongoing effort to review all IETF documents
being processed by the IESG.  These comments were written primarily
for the benefit of the security area directors.  Document editors and
WG chairs should treat these comments just like any other last call
comments.

The subject of this document is DNS records describing certificate
issuance policies and how the policies can be made more granular
through the use of two new parameters: accounturi and validationmethods.
The first parameters designates particular accounts that can act
as CAs for a domain, the second parameter names the methods that can
be used for validation.

It took me almost an hour to realize that "accounturi" was "account uri".
It looked like some fancy foreign word.  "He was not merely an
accountant, he was an acounturi from a noble hereditary line."

Moving on, the document claims that the only effect of the new
parameters is to narrow the ways in which a certificate should be
issued.  There are no additional security measures.  Bad actors can
still be bad, men can remain in the middle.  The new parameters are
there for the use of good actors.

I am not convinced that all of the items in section 5 really are
"security considerations".  The increased granularity is not in itself
a security meaure.  Some of the items relating to validation methods
and DNSSEC are security consideration.

As nearly as I can tell, there are no security problems.

Hilarie