Re: [lamps] CAA tags

Tim Hollebeek <tim.hollebeek@digicert.com> Tue, 19 December 2017 21:54 UTC

Return-Path: <tim.hollebeek@digicert.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DABE412D85F for <spasm@ietfa.amsl.com>; Tue, 19 Dec 2017 13:54:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=digicert.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5oLm4TFhj4qd for <spasm@ietfa.amsl.com>; Tue, 19 Dec 2017 13:54:33 -0800 (PST)
Received: from mail1.bemta12.messagelabs.com (mail1.bemta12.messagelabs.com [216.82.251.3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C40AA1200FC for <spasm@ietf.org>; Tue, 19 Dec 2017 13:54:33 -0800 (PST)
Received: from [216.82.249.212] (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256 bits)) by server-3.bemta-12.messagelabs.com id 93/66-13004-99A893A5; Tue, 19 Dec 2017 21:54:33 +0000
X-Brightmail-Tracker: H4sIAAAAAAAAA1WTfUxNYRzH73Nebke6drqVfu7k5Q4jKwpTmWl mtFmG0awZztVx7+G+OeeyzB+12lAX85KpuIWMrXmfNtNuViiKlUpTSUU0txEpuqScc5/r7Z9n n+f3/f5enmfPw5BaZ4CO4dMdvGjlzHp1IPVi2u2YqPzc+NT5972hcQXNXnXciU4Xiitq2Z5IJ n0c6KWTLl70EknZ5eXUWjKVFqwGW/o22lRRPUrZ27NR+sOTRwMy0aP9uWgcQ7H9BNRW6HJRIK Nl8wgYHahXK4KWfYCgrmSFwmp2PrS4awiFQ9lZ0H36Ca0wya6GsVdZlMIhbAR0vywnsWcKnKs cojGvhPc/BwncbCb0V57xsYbdDP21lync+C4BWSUnkSKMY9fB0fMNvqKInQjfaq8QuFk4tPUU +xjYUOh+VqfGHAbv34zS2L8ZXF+q/HE9tF8dRpgjoLHYiZRmwFYFwL36cr8pGsqOf/CbkuHRi xIS83UEnzxTMUdCXd2w378LhrJbaMwJcOh4DY2L3ifhR1O7nMzIm8nQ6VqI44fV0Jjj9l9pGu SV4ulCWB10NOegY2hO4T+HK5RzSLYYQe63NrLQd03B8Ligh8KmVHidlU9jjoRTVz3++Fy4dL5 P9jMyz4HqJv3/YYWXQP73SjXm6ZDn7A7AvAj6Hn5G59D4UjRb4sW9vBgVGx9tEAWjyWHhBHNU TExstIWXJM7ImzmDFL3dZrmF5GeYoVKhO2h0MLkKTWIIfZimY2l8qnaCwZa2z8RJpq3iHjMvV aHJDKMHjZAja8Eib+TTdwhm+S3/loEJ0odqShVZI9k5iyQYsVSLljFn3W0jBHOjtUNeK3zru4 K+TFJLWW1WXheuWaCksUqaaY/1T9Hff6QRRehCNEilUmmD7LxoERz/6x4UziB9iGaVUiVIsDr +9PbIYxHyWKc2LVbGcnB/JV0myksZX3btbUXXUqY14868tLGk/iNrt3TtMsyot4c/ZbYZFy6v v/6zrME29cm0DSnVriIxMXCGrvQwTFox92bk2eTEkaALCQfUt3ceHPZkSCkFCcG7x4Qxr8vtj B268H39jY12QbvSSbifXz5Qk/jZO5J55euthiWu6rtp+1PW9LX32vSUZOJiIklR4n4BqmCNbh 4EAAA=
X-Env-Sender: tim.hollebeek@digicert.com
X-Msg-Ref: server-7.tower-219.messagelabs.com!1513720471!197665882!1
X-Originating-IP: [216.32.180.49]
X-StarScan-Received:
X-StarScan-Version: 9.4.45; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 2309 invoked from network); 19 Dec 2017 21:54:32 -0000
Received: from mail-by2nam03lp0049.outbound.protection.outlook.com (HELO NAM03-BY2-obe.outbound.protection.outlook.com) (216.32.180.49) by server-7.tower-219.messagelabs.com with AES256-SHA256 encrypted SMTP; 19 Dec 2017 21:54:32 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digicert.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=QNzCQp1yfY3qIcoOz2D5pvEqA5pUoIuNIhZpPlouDb4=; b=EiRHObds3/NBIhlXN14YeKkgbzdL4qkw5GVYpdjOPOsFwd1iXc2wzDKamHGQFxWzEVPQodAqNFiehM15LmNk5lcpozkve7PL7MgYVehqOF6QBeyi4nQkxWbPDaK35it5IXpQX8xfAEGXSSa47y4dJmhYQSF5vlrEOQyc1M8/1jU=
Received: from DM5PR14MB1289.namprd14.prod.outlook.com (10.173.132.19) by DM5PR14MB1292.namprd14.prod.outlook.com (10.173.132.22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.323.15; Tue, 19 Dec 2017 21:54:30 +0000
Received: from DM5PR14MB1289.namprd14.prod.outlook.com ([10.173.132.19]) by DM5PR14MB1289.namprd14.prod.outlook.com ([10.173.132.19]) with mapi id 15.20.0323.018; Tue, 19 Dec 2017 21:54:30 +0000
From: Tim Hollebeek <tim.hollebeek@digicert.com>
To: Ryan Sleevi <ryan-ietf@sleevi.com>
CC: Jacob Hoffman-Andrews <jsha@eff.org>, "spasm@ietf.org" <spasm@ietf.org>
Thread-Topic: [lamps] CAA tags
Thread-Index: AdN4J3TZ60fppeKgRNaOHREkYP39nwArdI8AAAC/MGAACWEFAAAFdUWw
Date: Tue, 19 Dec 2017 21:54:30 +0000
Message-ID: <DM5PR14MB1289D721D278D96821FE305F830F0@DM5PR14MB1289.namprd14.prod.outlook.com>
References: <DM5PR14MB1289FA2B76543ABAF16FD0EF830E0@DM5PR14MB1289.namprd14.prod.outlook.com> <CAErg=HEL93NpPjEZnAFQD3Epk5dHW41qmXJGOPA_7wvKvmsGJA@mail.gmail.com> <DM5PR14MB12894853413B1055CEF6FA74830F0@DM5PR14MB1289.namprd14.prod.outlook.com> <CAErg=HG1S9LHhW03KeakaX50+eX5ztjH_uosvV1O4wcnPP83YA@mail.gmail.com>
In-Reply-To: <CAErg=HG1S9LHhW03KeakaX50+eX5ztjH_uosvV1O4wcnPP83YA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [74.111.107.128]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; DM5PR14MB1292; 6:EkMZcWQEGQBr1JGJAkWX+C7Qmo3O8lv/3avfWysd232jgcl0gMgT6t/XjHYf9fFq+vaMkho4uHU6axWyiHLX6oJNUcKb/uCX3T/O7yTaSH0t9Z6AtlySz+E+x4y/sREZvXsVYdr/Fd3jn6PV8EtoKMGUj5eMgkyJUMmoBWkWmqFDyyK20AALcR/hsyD9+4H7iARc2/5HvRCZuWoJJHfCVCkv7NClCW6Up4Cs9btYXgzvXhnfKo/+C/RCNfr/Ys/HS7ZB4R+u5PHSS2GBTeN60zjfXP23Ou0S4Y/lf6Jodxrj3pDq1PFzGADf47miUhELCFpM+p7/rji4TM4qX59cKBEYruB9D/XwB289v/GDJJk=; 5:9eklxcfLarT2Npum+PQikdJgJgrPQY4lAa04tORjkN60U4J0cck6RJdXUwiNAvJm3XXUzeXKD4G+Nu4jIzbX1g7IF8nrYn7mOWomRdudfW+kOg+rf8gXDDbz+VkQTULUpim8/2Jzsxq8/iv0Ft1M6HUYI8Erar6DuMj+JmRPRRk=; 24:IwAzTdU9R4jeOaZbgFLNt2aaJ6g8xyXxhQzD2zSwPBPLmFrXYE84beiBtfMhH+PGvgNOroshqU1AKjI+3lxwIxRm8rmgZzVsDxRy14AfQg4=; 7:3AYTRw7i4ukDI6QQJCerquMGF/qMT4lVsbd37YFFeEzSqFWRjpV38CsV7kWaQRReFVyxDREaz0XMfMxvYd5N1m3lv0olVWnZyf6cyZeZ2aqoV7v6eSUdh8685cIuOG09qGC8gc/zZU3Qujr/qjOe5+xV3dW7WDaSRWuip77J1ejjqsmSpJbS5Dtei6LUdCfQZZWowFvPd1FU+gRLRSPwHjoQIyrXzNog6Z4sHxOXiUA2xwG3nvB2bbdmAkXW4du2
x-ms-exchange-antispam-srfa-diagnostics: SSOS;
x-ms-office365-filtering-correlation-id: 663b6cbb-870f-401b-dce1-08d5472b1536
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(4534020)(4602075)(4603075)(4627115)(201702281549075)(5600026)(4604075)(2017052603307)(7153060)(49563074); SRVR:DM5PR14MB1292;
x-ms-traffictypediagnostic: DM5PR14MB1292:
x-microsoft-antispam-prvs: <DM5PR14MB1292FDD4699C7612DD52320C830F0@DM5PR14MB1292.namprd14.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(21748063052155);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(102415395)(6040450)(2401047)(5005006)(8121501046)(3002001)(3231023)(10201501046)(93006095)(93001095)(6041248)(20161123558100)(20161123555025)(20161123564025)(20161123560025)(2016111802025)(20161123562025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(6072148)(6043046)(201708071742011); SRVR:DM5PR14MB1292; BCL:0; PCL:0; RULEID:(100000803101)(100110400095); SRVR:DM5PR14MB1292;
x-forefront-prvs: 052670E5A4
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(346002)(396003)(366004)(39860400002)(376002)(189003)(199004)(24454002)(229853002)(66066001)(81156014)(106356001)(25786009)(77096006)(93886005)(3660700001)(9686003)(236005)(54896002)(2900100001)(53386004)(8676002)(3280700002)(4326008)(3846002)(55016002)(790700001)(5660300001)(102836003)(6116002)(99936001)(105586002)(33656002)(606006)(2950100002)(68736007)(2906002)(59450400001)(53546011)(478600001)(86362001)(97736004)(7736002)(6306002)(14454004)(54906003)(6436002)(76176011)(81166006)(6506007)(53936002)(8936002)(74316002)(316002)(99286004)(6246003)(7696005)(561944003)(6916009)(19400905002); DIR:OUT; SFP:1102; SCL:1; SRVR:DM5PR14MB1292; H:DM5PR14MB1289.namprd14.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: digicert.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=2.16.840.1.101.3.4.2.1; boundary="----=_NextPart_000_0718_01D378D9.41A2A1D0"
MIME-Version: 1.0
X-OriginatorOrg: digicert.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 663b6cbb-870f-401b-dce1-08d5472b1536
X-MS-Exchange-CrossTenant-originalarrivaltime: 19 Dec 2017 21:54:30.6782 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: cf813fa1-bde5-4e75-9479-f6aaa8b1f284
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR14MB1292
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/17LEaVnYPbbrGahN1twWa_bXqgs>
Subject: Re: [lamps] CAA tags
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Dec 2017 21:54:36 -0000

Yup.  That’s why I’m not writing a spec right now.  I’m always open to reasonable feedback on anything that makes my proposals better.  I rarely get things entirely right the first time!

 

-Tim

 

From: Ryan Sleevi [mailto:ryan-ietf@sleevi.com] 
Sent: Tuesday, December 19, 2017 12:16 PM
To: Tim Hollebeek <tim.hollebeek@digicert.com>
Cc: Ryan Sleevi <ryan-ietf@sleevi.com>om>; Jacob Hoffman-Andrews <jsha@eff.org>rg>; spasm@ietf.org
Subject: Re: [lamps] CAA tags

 

Thanks for clarifying. From your original e-mail, it wasn't clear if you were taking a particular position on the property tags vs parameters, and/or what considerations fed into such discussions. That's where having the problem statement (or 'explainer', as its called in some SDO circles) and use cases is useful to explore these tradeoffs :)

 

On Tue, Dec 19, 2017 at 9:50 AM, Tim Hollebeek <tim.hollebeek@digicert.com <mailto:tim.hollebeek@digicert.com> > wrote:

As I noted in the preface to my initial email in this thread [1], one other person has pointed out the same thing to me.  I noted that not only is this an option, but it solves two problems with the original proposal, so I’m personally leaning towards it.  We’ll see what other CAs think.

 

That is, why is the set of policy not

 

CAA issue 0 "example.com <http://example.com> "

CAA issue 0 "example.net <http://example.net> "

CAA validation 128 "type=EV method=1,2,3,4"

 

On Mon, Dec 18, 2017 at 12:41 PM, Tim Hollebeek <tim.hollebeek@digicert.com <mailto:tim.hollebeek@digicert.com> > wrote:

Note that it has been privately pointed out to me that one possible solution to the criticality problem and the scaling problem is to use top-level tags that are independent of the issue records:

CAA 0 issue “ <http://a.example.com> a.example.com”

CAA 0 issue “ <http://b.example.com> b.example.com”

CAA 128 validation “Phone”