Re: [lamps] Fwd: [pkix] [Technical Errata Reported] RFC6844 (5200)

Tim Hollebeek <tim.hollebeek@digicert.com> Mon, 18 December 2017 14:40 UTC

Return-Path: <tim.hollebeek@digicert.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6A5A91252BA for <spasm@ietfa.amsl.com>; Mon, 18 Dec 2017 06:40:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.102
X-Spam-Level:
X-Spam-Status: No, score=-0.102 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=digicert.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l8K5keVN1xSo for <spasm@ietfa.amsl.com>; Mon, 18 Dec 2017 06:40:57 -0800 (PST)
Received: from mail1.bemta8.messagelabs.com (mail1.bemta8.messagelabs.com [216.82.243.193]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 09CB0124B17 for <spasm@ietf.org>; Mon, 18 Dec 2017 06:40:56 -0800 (PST)
Received: from [216.82.242.46] (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256 bits)) by server-1.bemta-8.messagelabs.com id 64/B4-05333-773D73A5; Mon, 18 Dec 2017 14:40:55 +0000
X-Brightmail-Tracker: H4sIAAAAAAAAA1WSe0hTYRjG951zNo/lkeO8vS27DcILTFZmSf5 RUJRhQUVJWWBnedpG25RzVqyCtHJZWnSb0oY1pWEl2UWQLqTUMsoLSWpWrqTSNLWrQRfptp1v 3f778T7P+z3v9/LSpLJToaJ5m5UXLJxJrRhHPZpaH6HZ2jknW3v2cWKas+urIu1k98b5RMbb0 UF5hsfzlVhOZMuNFl2ebYPc4BlpCMk/kGlr9dmpQvRlUQkKpSn2HQHtDiHAStZBQEd5fAka5+ cmBM39txQBQcFqobvhDhHgKDYTus+XSfVIP++yv5bj+lK4WtyOMM+F+rIxhAOmQ5Vnn+Rh2PX wvfMwwgEVCI6d9khCKJsOxQerpAbExsDnlnNSGMnGQk+/W2Jgo+D5/VYF5mgY6vshx/71cOKj N1hXg6/2C8I8CTrcpVIYsN4QaCvHUwCbDPVH3gRNy+D4ubdBUzWCTy8fklhIgrvevUHTZqgtL qEwp0OlvY7EDbdI8D2oC5rioK+plMLCoByOOloovNVccNR4gwtTwdOu/QhzHLx60iA/jBJc/3 zV5e8nWTcC74CddElLi4BmZz+FTRq41niDxDwFLr+pCHI6HB+7qcA8DRylz0Mwp8LI7Q+oEtE 1KEHkha28oJk1M1knGPUGq5kzmjQztGnJZl4UOT1v4nRi8sY8cx3yn1aBTIauoKHqdV40gSbU 0Yxz/OxsZbguL3ebgRMNOcIWEy96URxNq4FJ7ZiTrYwQeD1v22Q0+e/ztwx0mDqK2R2QGTGfM 4tGPZZaUApd0dDzjaAHnCOFpJKy5Fl4VSwzPmBlA1bDFsufh37fegeapIpkkEwmU4bl84LZaP 1fH0axNFJHMosDr4QZLdY/ecP+UQj/KGVrpFGs3F9JVYiKvi3wuC9lFskeLd5j16zaGZL1ZG1 uQU3OKq26oNxYIzbvWzNwb1rooaxMWduL6rFw97NR37yfvRNLJ8QvPFXUeGFZapdrd2VSypkj SqdPMNRelK1e2TcYPVm7PWYnu0K0XLqg2xHxIt+V0XffVrREn9Wzjhnt7b2ui9dHhr+/eChRT YkGbkYSKYjcL1iQsZjmAwAA
X-Env-Sender: tim.hollebeek@digicert.com
X-Msg-Ref: server-9.tower-96.messagelabs.com!1513608053!116492779!1
X-Originating-IP: [216.32.181.17]
X-StarScan-Received:
X-StarScan-Version: 9.4.45; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 10001 invoked from network); 18 Dec 2017 14:40:54 -0000
Received: from mail-co1nam03lp0017.outbound.protection.outlook.com (HELO NAM03-CO1-obe.outbound.protection.outlook.com) (216.32.181.17) by server-9.tower-96.messagelabs.com with AES256-SHA256 encrypted SMTP; 18 Dec 2017 14:40:54 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digicert.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=1QMM+WvYLR5bAPSC5UoKWPE54+PAUtt3YP9XZ5NreNQ=; b=j9EwkK12EHUlgGONCSL5nawTDu8KJcX8QR58N56GL0slrjmP6Q8PLb4n9n74vaie1ZGFFw6PIRgwPOgv8y3VxqOmLViTx5YJoI2O5Abo0keAp7iD4le0+Gaec/io08fbKZRcZcX6/m2g3o8M2NLw2wHtpXXHf0NP5euTGR+ae7U=
Received: from DM5PR14MB1289.namprd14.prod.outlook.com (10.173.132.19) by DM5PR14MB1289.namprd14.prod.outlook.com (10.173.132.19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.323.15; Mon, 18 Dec 2017 14:40:52 +0000
Received: from DM5PR14MB1289.namprd14.prod.outlook.com ([10.173.132.19]) by DM5PR14MB1289.namprd14.prod.outlook.com ([10.173.132.19]) with mapi id 15.20.0323.018; Mon, 18 Dec 2017 14:40:52 +0000
From: Tim Hollebeek <tim.hollebeek@digicert.com>
To: Jacob Hoffman-Andrews <jsha@eff.org>, "spasm@ietf.org" <spasm@ietf.org>
Thread-Topic: [lamps] Fwd: [pkix] [Technical Errata Reported] RFC6844 (5200)
Thread-Index: AQHTcFCyWaXtVbwstEuAXIDvoZy1oKNFZbiAgAPSpGA=
Date: Mon, 18 Dec 2017 14:40:51 +0000
Message-ID: <DM5PR14MB128950E8291574FAA0161BC8830E0@DM5PR14MB1289.namprd14.prod.outlook.com>
References: <20171208180055.ACB1EB81ACE@rfc-editor.org> <5AB43438-406D-482D-81DD-B9A30BE84459@vigilsec.com> <ad5b6045-84ba-32b3-7739-b2464fc40c2f@eff.org>
In-Reply-To: <ad5b6045-84ba-32b3-7739-b2464fc40c2f@eff.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [74.111.107.128]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; DM5PR14MB1289; 6:aamBnmgtrJWehw0A+FlmDteTC48W50z/Camy9IOfRblZCqPzXiGHOImsAptuxoXQ/WFbfUCpwU/vZfitcWjuHv34Kvkdt3rLO/jZXiErHYPfsBcTGo5ZhLGA8bKezwko5yDHze2Knkk3U+l0PBkJPo74LKc1PQgsa41DT1h8XKp0cMyCR/9sbMh4ziNhI5UN8Y7b/QAOluoZh6ivqs73F3+4MshESKjcntjOUF8CfrT8Xhth9QGg7WvrNq0Y/jIjtDTpkAtGhZdmDbAT7kXNVVAsZdKZ/vqdkGyAgZdERGieXwxliWZsQErIJuWd8fkirWUuQvRLiOQqcgFV+DAnUdungb0VTaGA9nieIYBTu/U=; 5:KrDrwHFuVrHujwPjuSb7n/6PdC7FmMGICxOd0Bf/pGLemyE3/SDX0a4Nwtk/OhkkJm78rzGw5qBKfFvjMCAAxGmmdG/cNfcrMEXHKWSHAdwqv/k02I7HlFWOrvtDJStUhJBgewdLk2Hb1Thf4fvv6cLwvHoUlIE8af45zX5PCjw=; 24:rC42hMgkHLP6EbCZZk42b5rSyabq0w3lL+xp8cZfBboudUYlKxngI16MAjzL67FSTg0Ntx57odnegmKitDN7OxfUwMCpxzex86fwHNHYPsY=; 7:OKJtp8UvXdQ/X4YOycQv7Y16O6gWbU51GiviPUHHva0tkd34WOQLz2dG4IIzrn4IdCSd/KZqiNeL4LZjw7MjgBGM9ayHDUdfsbrctn+O0PfHKmJGKKML2mwRwieZejC239Oeaf1pEnhpIxj/ERfNA6vDCIWqRwJgLU+DAaZ+meRKGBrQP/8uhdp3xxqf1ZpiqACDud97M59UuxQ2PWwd4639xAHLImRSjwpaFLkSFtAFHJVNnyaX1oq0hMdpPyG2
x-ms-exchange-antispam-srfa-diagnostics: SSOS;
x-ms-office365-filtering-correlation-id: 09b4aaaa-4963-4a4f-24db-08d546255673
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(5600026)(4604075)(4534020)(4602075)(4603075)(4627115)(201702281549075)(2017052603307)(49563074); SRVR:DM5PR14MB1289;
x-ms-traffictypediagnostic: DM5PR14MB1289:
x-microsoft-antispam-prvs: <DM5PR14MB128983B89D9280FD7F1C9807830E0@DM5PR14MB1289.namprd14.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(166708455590820);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(102415395)(6040450)(2401047)(5005006)(8121501046)(3002001)(3231023)(93006095)(93001095)(10201501046)(6041248)(20161123560025)(20161123564025)(20161123555025)(20161123558100)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123562025)(2016111802025)(6043046)(6072148)(201708071742011); SRVR:DM5PR14MB1289; BCL:0; PCL:0; RULEID:(100000803101)(100110400095); SRVR:DM5PR14MB1289;
x-forefront-prvs: 0525BB0ADF
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39850400004)(376002)(396003)(366004)(346002)(24454002)(199004)(189003)(13464003)(6246003)(305945005)(105586002)(106356001)(9686003)(110136005)(6306002)(55016002)(8676002)(7736002)(53936002)(68736007)(2906002)(86362001)(316002)(3280700002)(3660700001)(81166006)(81156014)(99936001)(33656002)(8936002)(6116002)(3846002)(102836003)(66066001)(74316002)(561944003)(2950100002)(99286004)(2900100001)(966005)(6506007)(14454004)(97736004)(77096006)(1720100001)(7696005)(2501003)(5660300001)(59450400001)(76176011)(25786009)(53546011)(6436002)(478600001)(229853002); DIR:OUT; SFP:1102; SCL:1; SRVR:DM5PR14MB1289; H:DM5PR14MB1289.namprd14.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: digicert.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=2.16.840.1.101.3.4.2.1; boundary="----=_NextPart_000_04EB_01D377D3.8357CAD0"
MIME-Version: 1.0
X-OriginatorOrg: digicert.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 09b4aaaa-4963-4a4f-24db-08d546255673
X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Dec 2017 14:40:51.8257 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: cf813fa1-bde5-4e75-9479-f6aaa8b1f284
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR14MB1289
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/1jtqNBag3IvoZpcOwRDuFtsPWwI>
Subject: Re: [lamps] Fwd: [pkix] [Technical Errata Reported] RFC6844 (5200)
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Dec 2017 14:40:59 -0000

As pointed out on the cabf_validation list, the original text isn't just
ambiguous, the RFC contradicts itself.  I don't feel too strongly either
way, as long as it gets resolved soon, as property tags are about to become
commonly deployed (there were several proposed uses discussed at the Taipei
face-to-face meeting of the CA/Browser forum).

I do however have a slight preference for only having a single separator
(whitespace), not two in order to avoid confusion about what to do about
whitespace after semicolons and around = signs.

The semicolon doesn't really serve a useful purpose, though we do have to
keep one since there are existing CAA records out there that use it.  I'd
like the grammar to essentially be:

    domain ; [name = value]+

with the clarification that whitespace is ignored.

So my personal preference is the first style you mentioned, in line with the
submitted errata:

    example.com. IN CAA 0 issue "example.net; foo=bar bar=qux"

It's the style I used in my proposal for industry standard property tag
names on cabf_validation last week.

-Tim

> -----Original Message-----
> From: Spasm [mailto:spasm-bounces@ietf.org] On Behalf Of Jacob Hoffman-
> Andrews
> Sent: Friday, December 15, 2017 9:06 PM
> To: spasm@ietf.org
> Subject: Re: [lamps] Fwd: [pkix] [Technical Errata Reported] RFC6844
(5200)
> 
> On 12/08/2017 10:16 AM, Russ Housley wrote:
> > http://www.rfc-editor.org/errata/eid5200
> 
> The question here is whether CAA records with property tags should look
> like:
> 
> example.com. IN CAA 0 issue "example.net; foo=bar bar=qux"
> 
> or:
> 
> example.com. IN CAA 0 issue "example.net; foo=bar; bar=qux"
> 
> (note the second semicolon)
> 
> I think the original text is ambiguous on the point, and since property
tags are
> not yet widely deployed this is a somewhat free choice. I think the
version
> where property tags are separated by semicolons makes more sense and is
> less error prone. It also happens to be what Hugo Landau's draft for CAA
> Record Extensions uses:
> https://tools.ietf.org/html/draft-ietf-acme-caa-03#page-9
> 
> And what was briefly implemented in Let's Encrypt's Boulder (since rolled
> back due to a bug):
> 
> https://github.com/letsencrypt/boulder/pull/3145/files#diff-
> 3efab53f2bcc543ac2e771ec882c57c1L310
> 
> So my feeling is we should reject this erratum and clarify in the other
> direction, requiring semicolons between property tags. Thoughts?
> 
> _______________________________________________
> Spasm mailing list
> Spasm@ietf.org
> https://www.ietf.org/mailman/listinfo/spasm