Re: [lamps] Ambiguities in RFC 6844 regarding CAA resource record sets with no "issue" property tags

Corey Bonnell <CBonnell@trustwave.com> Tue, 27 March 2018 14:27 UTC

Return-Path: <CBonnell@trustwave.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1634112E047 for <spasm@ietfa.amsl.com>; Tue, 27 Mar 2018 07:27:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.08
X-Spam-Level:
X-Spam-Status: No, score=0.08 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YGlxp1ybyuQe for <spasm@ietfa.amsl.com>; Tue, 27 Mar 2018 07:27:45 -0700 (PDT)
Received: from seg-node-chi-03.trustwave.com (seg-node-chi-03.trustwave.com [204.13.200.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 77E4012E049 for <spasm@ietf.org>; Tue, 27 Mar 2018 07:27:44 -0700 (PDT)
Received: from NAM02-CY1-obe.outbound.protection.outlook.com (Not Verified[207.46.163.56]) by seg-node-chi-03.trustwave.com with Trustwave SEG (v8, 0, 6, 10676) (using TLS: TLSv1.2, AES256-SHA256) id <B5aba54dd0002>; Tue, 27 Mar 2018 09:27:41 -0500
Received: from SN6PR07MB4575.namprd07.prod.outlook.com (52.135.95.19) by SN6PR07MB4381.namprd07.prod.outlook.com (52.135.91.140) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.609.10; Tue, 27 Mar 2018 14:27:40 +0000
Received: from SN6PR07MB4575.namprd07.prod.outlook.com ([fe80::fc6f:e45f:736f:a85c]) by SN6PR07MB4575.namprd07.prod.outlook.com ([fe80::fc6f:e45f:736f:a85c%13]) with mapi id 15.20.0609.012; Tue, 27 Mar 2018 14:27:40 +0000
From: Corey Bonnell <CBonnell@trustwave.com>
To: Jacob Hoffman-Andrews <jsha@eff.org>, "spasm@ietf.org" <spasm@ietf.org>
Thread-Topic: [lamps] Ambiguities in RFC 6844 regarding CAA resource record sets with no "issue" property tags
Thread-Index: AQHTi+4QDmko90Ob9kiZJwieEDaNDqPjolkAgACyQYA=
Date: Tue, 27 Mar 2018 14:27:40 +0000
Message-ID: <C051979C-4726-4AF9-9C7A-B63DB7309426@trustwave.com>
References: <878C91A0-6875-47A4-872F-F5D1F7F7AE7E@trustwave.com> <ed4efa8d-c82f-018e-143c-63388e540763@eff.org>
In-Reply-To: <ed4efa8d-c82f-018e-143c-63388e540763@eff.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=CBonnell@trustwave.com;
x-originating-ip: [204.13.202.248]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; SN6PR07MB4381; 7:jSy5kF3TVK6VJRrlinJARB+05mHVX5NPi6uRS2t6OsBEixPRcVg1PzBEGDnlnkf3xhMHUQyZhPuNOQzUYUuv2BGsiL4pvAeGyPdtEQS0UHKn4wcHho9NXOqPjsJK7EWKLZUcF2IeQnr7pKL6zIPRVD9VRGZu/sy4HreNuT72ePaxfY7LT4xiNU/ojtqxw1YSWZgoUx0o6ddbu7HrLNomx05yEolcR+7SGYGAY60SAo0uMNOOWZp4URG1E2d15nWr
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: 51a18b7c-85dd-4c6b-3d0f-08d593eee55e
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(5600026)(4604075)(3008032)(4534165)(4627221)(201703031133081)(201702281549075)(2017052603328)(7153060)(7193020); SRVR:SN6PR07MB4381;
x-ms-traffictypediagnostic: SN6PR07MB4381:
x-microsoft-antispam-prvs: <SN6PR07MB4381BF4B2A1517EE4111A518CFAC0@SN6PR07MB4381.namprd07.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(28532068793085)(232896897485771)(166708455590820)(192374486261705)(171964332516350)(21748063052155);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040522)(2401047)(8121501046)(5005006)(3231221)(944501327)(52105095)(93006095)(93001095)(3002001)(10201501046)(6041310)(20161123562045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123560045)(20161123558120)(20161123564045)(6072148)(201708071742011); SRVR:SN6PR07MB4381; BCL:0; PCL:0; RULEID:; SRVR:SN6PR07MB4381;
x-forefront-prvs: 0624A2429E
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(346002)(376002)(366004)(39380400002)(39860400002)(396003)(189003)(199004)(105586002)(8676002)(26005)(110136005)(446003)(6436002)(53936002)(236005)(2906002)(229853002)(36756003)(33656002)(476003)(6486002)(11346002)(186003)(99286004)(72206003)(345774005)(2501003)(82746002)(80792005)(66066001)(102836004)(106356001)(97736004)(14454004)(478600001)(6512007)(81156014)(316002)(54896002)(5250100002)(81166006)(6116002)(3846002)(6306002)(6506007)(53546011)(3280700002)(6246003)(83716003)(5660300001)(8936002)(7736002)(59450400001)(2616005)(606006)(3660700001)(2900100001)(68736007)(25786009)(86362001)(486005)(76176011)(486005)(966005)(19400905002); DIR:OUT; SFP:1102; SCL:1; SRVR:SN6PR07MB4381; H:SN6PR07MB4575.namprd07.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: trustwave.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: xlu1KN4tv79tFqMO98oddEzs8CTResjuADbdQkNTwari7aXK3aV/CypYLrMLMc3Z1hD+Ia1S/DWAwMqOVKTsa4feKBIPl8upENcJLZ+V7NO8Rsgj1kjmd+gYoKPWMztMdbYpVR33VzdurUN5sKll3byxXNxgOXmAYt92Mg2GXIbQ3YvWpbQui/eMTkaexsWm0JfAUECoRPbb4z8r4malzJRNOhKVIYaZPM2BsZh9CW3tfhdPKLoCJLIkCmUrbEOBfTBHM73/qwTRcoHtL7de9lDLvhZ9sjkcCWuiYI6DWmqNSONmUhcP0Mt43SCh9VDTUWYjhat53FZSrT2Bd1ADHg==
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_C051979C47264AF99C7AB63DB7309426trustwavecom_"
MIME-Version: 1.0
X-OriginatorOrg: trustwave.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 51a18b7c-85dd-4c6b-3d0f-08d593eee55e
X-MS-Exchange-CrossTenant-originalarrivaltime: 27 Mar 2018 14:27:40.1669 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: cb1dab68-a067-4b6b-ae7e-c012e8c33f6a
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN6PR07MB4381
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/1ZED2zQIKkyL4EsT-Mz-MM2YuWQ>
Subject: Re: [lamps] Ambiguities in RFC 6844 regarding CAA resource record sets with no "issue" property tags
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Mar 2018 14:27:53 -0000

Jacob,
Thank you for getting this erratum included in RFC 6844-bis. It will be good to get the wording cleared up.

As for my original erratum text not specifying "issuewild", that is because section 5.3 (5.3.  CAA issuewild Property) specifies that "The issuewild property has the same syntax and semantics as the issue property except that issuewild properties only grant authorization to issue certificates that specify a wildcard domain". Given that issuewild property tags have the same semantics as issue property tags, the addition of my original erratum text (in section 5.2, which defines issue property tag semantics) will also address the case of a resource record set not containing issue property tags and not containing issuewild property tags (only in the case of wildcard domain names, since issuewild property tags are otherwise ignored as per section 5.3).

If you think that's too vague and it's better to explicitly mention the lack of issuewild tags, we should qualify the language a bit to say "A non-empty CAA record set that contains no issue property tags (and also does not contain any issuewild property tags when performing issue restriction processing for a wildcard domain) is authorization to any certificate issuer to issue for the corresponding domain, provided that no records in the CAA record set otherwise prohibit issuance." Otherwise, it is unclear how to handle the case of a non-empty CAA record set for a non-wildcard domain that does not contain an issue property tag but contains one or more issuewild property tags.

Thanks,
Corey


Corey Bonnell
Senior Software Engineer
t: +1 412.395.2233

Trustwave | SMART SECURITY ON DEMAND
www.trustwave.com<http://www.trustwave.com/>
From: Jacob Hoffman-Andrews <jsha@eff.org>
Date: Monday, March 26, 2018 at 7:49 PM
To: Corey Bonnell <CBonnell@trustwave.com>om>, "spasm@ietf.org" <spasm@ietf.org>
Subject: Re: [lamps] Ambiguities in RFC 6844 regarding CAA resource record sets with no "issue" property tags

I've written this up as a PR: https://github.com/jsha/caa-simplification/pull/1/files<https://scanmail.trustwave.com/?c=4062&d=loe52jNi8V2QtLlmCxq-y_nbkZ0r54DHvf0GuoOkjQ&s=5&u=https%3a%2f%2fgithub%2ecom%2fjsha%2fcaa-simplification%2fpull%2f1%2ffiles>ll%2f1%2ffiles>. If there are no objections, I'll merge it in a week for the 6844bis draft.

Note that I tweaked it slightly from your erratum (https://www.rfc-editor.org/errata/eid5244<https://scanmail.trustwave.com/?c=4062&d=loe52jNi8V2QtLlmCxq-y_nbkZ0r54DHvf0Ev9GmjQ&s=5&u=https%3a%2f%2fwww%2erfc-editor%2eorg%2ferrata%2feid5244>)ata%2feid5244>). Where you referred just to "issue" property tags, I mention both "issue" and "issuewild."
On 01/12/2018 01:41 PM, Corey Bonnell wrote:
Hello,
I believe that there are several ambiguities in RFC 6844 in regard to processing CAA resource record sets that do not contain "issue" records.

Section 3 of RFC 6844 (http://www.rfcreader.com/#rfc6844_line196<http://scanmail.trustwave.com/?c=4062&d=loe52jNi8V2QtLlmCxq-y_nbkZ0r54DHva1WuNSniQ&s=5&u=http%3a%2f%2fwww%2erfcreader%2ecom%2f%23rfc6844%5fline196>) defines the "issue" property tag to authorize "the holder of the domain name <Issuer Domain Name> or a party acting under the explicit authority of the holder of that domain name to issue certificates for the domain in which the property is published". Based on my interpretation, the definition given here is suggesting that CAA issue restriction processing is done regardless of whether or not there is an "issue" record(s) present to specify the set of permitted Issuer Domain Names. In other words, the lack of "issue" records in a CAA resource record set indicates that no CA may issue for that domain, since no CA has been authorized to issue.

However, section 5.2 (http://www.rfcreader.com/#rfc6844_line447<http://scanmail.trustwave.com/?c=4062&d=loe52jNi8V2QtLlmCxq-y_nbkZ0r54DHvftXvYf33g&s=5&u=http%3a%2f%2fwww%2erfcreader%2ecom%2f%23rfc6844%5fline447>) defines the "issue" property tag to "request that certificate issuers perform CAA issue restriction processing for the domain and to grant authorization to specific certificate issuers". Based on this definition, it sounds as if CAA issue restriction processing is "opt-in". In other words, the absence of "issue" records in a CAA record set indicate that any CA may issue for that domain (since there was no "opt-in" into CAA restriction processing).

Section 4 (http://www.rfcreader.com/#rfc6844_line288<http://scanmail.trustwave.com/?c=4062&d=loe52jNi8V2QtLlmCxq-y_nbkZ0r54DHvfNVvND12Q&s=5&u=http%3a%2f%2fwww%2erfcreader%2ecom%2f%23rfc6844%5fline288>) states that, "before issuing a certificate, a compliant CA MUST check for publication of a relevant CAA Resource Record set." Unfortunately, the term "relevant" is not defined by the RFC, which, compounded with the ambiguity highlighted above in regard to the definition of the "issue" property tag in sections 3 and 5.2, leads to ambiguity in the handling following scenarios:

- A CAA resource record set consisting solely of unknown non-critical property tags (including misspellings of "issue", such as "iisue", etc.)
- A CAA resource record set consisting solely of "iodef" property tags
- A CAA resource record set that contains both of the above

For each of these cases above, it is unclear which of the following three actions a CA should take:
- Fail issuance (since the CAA resource record set did not authorize any CA to issue, given the definition of the "issue" property tag in Section 3)
- Continue the tree-climbing search for records (since the resource record sets above could conceivably be considered as "not relevant")
- Allow issuance (since the resource record sets above could conceivably be considered as "relevant" and any CA may issue, given the definition of the "issue" property tag in section 5.2)

At Trustwave, we have taken the conservative approach and will not issue certificates if we encounter CAA resource record sets matching the descriptions of the three above. However, given that we may be overly restrictive by doing this, as well as for a desire for CAA record sets to be processed uniformly regardless of the CA, we would like to see these ambiguities resolved.

If others agree that the current wording of the RFC is ambiguous, I would be happy to present changes to relevant sections to clear up the ambiguity, but for now I wanted to send this along to see if others share our interpretation of the RFC.

Thanks,
Corey



Corey Bonnell
Senior Software Engineer
t: +1 412.395.2233

Trustwave | SMART SECURITY ON DEMAND
www.trustwave.com<http://www.trustwave.com/>

2017 Best Managed Security Service Winner – SC Media




_______________________________________________

Spasm mailing list

Spasm@ietf.org<mailto:Spasm@ietf.org>

https://www.ietf.org/mailman/listinfo/spasm<https://scanmail.trustwave.com/?c=4062&d=loe52jNi8V2QtLlmCxq-y_nbkZ0r54DHvfJV7oWjjQ&s=5&u=https%3a%2f%2fwww%2eietf%2eorg%2fmailman%2flistinfo%2fspasm>