Re: [lamps] CAA tags

Tim Hollebeek <tim.hollebeek@digicert.com> Tue, 19 December 2017 15:10 UTC

Return-Path: <tim.hollebeek@digicert.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7E67C120727 for <spasm@ietfa.amsl.com>; Tue, 19 Dec 2017 07:10:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=digicert.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Qf9VGe9clBSa for <spasm@ietfa.amsl.com>; Tue, 19 Dec 2017 07:10:29 -0800 (PST)
Received: from mail1.bemta12.messagelabs.com (mail1.bemta12.messagelabs.com [216.82.251.8]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4D8ED126CE8 for <spasm@ietf.org>; Tue, 19 Dec 2017 07:10:29 -0800 (PST)
Received: from [216.82.251.38] (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256 bits)) by server-8.bemta-12.messagelabs.com id 07/F3-02572-4EB293A5; Tue, 19 Dec 2017 15:10:28 +0000
X-Brightmail-Tracker: H4sIAAAAAAAAA1WTe0wTWRTGe2b6GJSaa0F7bMBojUEwNCASIZh I4sY0PhI1xmjFx6CztLEtpFMNmmzEiBLRimh9gVgeVXzGx7oGURup+8hCDMqyVVGURkSFFXyh iKzrTKe6+s/N757vu+c7c3OHoTUulY7h8p2cw85a9cph8mZDzfzEzsnppqRgX0Ra6ctySKveX KNIOxJYnUkbW7zlYLx1qp8yer0fqPm0SWGxZ+fmr1KYz564CHltRZD/8dOAqgCCPxXDMEZO+i i8ubOXFjca4qbQ1XdYJW1+BdxS5ZIXQwSjJEkYuPYHVQwME02W4SXvBLFMEx0+uhMAkaNILAY fXKFFjiZjsbKhXyHxYizp6gl55GQi/uvpV4msJlk4sKc1HFxBo9c7GMqKIAuwfpuPEhnIaHzf eJqSwrTY1ukJMZJoDN5uUko8Cp8//qSQ/FlY8cYfruvx/pkBkDgWWzw7QAxD4lehq7FWLgkG/ KX0Rdg0Dwv9Q0rJdAyw9e1TlSQkYFPTQLjrWiysqQ6zDevPesJdb9DYcfRw6IqQxOCjiqlS/Y 0Cj1V1hBI0ZA26T0rjRQl31966HXZDfNk3X1cmnKGJB7DhfAldFrqnkfjnoU65ZDKhq6iIkjg B953pDtcnCxk9gp8ROB5//0v/fVnkDDw42KCUeDy6dwRVEqdiz2+voBKGn4RJPOdYzzkSU9IN 2Q5LjtlpYy3WxOTkKQYbx/NsDmdls3nD6lzbBRAe4iaZDOqguWqZH8YwlH6U+qY7zaQZkZ27Z oOZ5c0rHeusHO+HGIbRozorId2kGengcrj8Hy1W4TV/kZGJ1EerS+IFWc3nsTbekiNJjTCDGb raNkQx5+61C6svtHYd6imgNXJ7rp3TadV2sSsRj5nX2b82/fKXtECsLkoNMplME5nHOWwW5/d 6N2gZ0EepN4tdIi1259fsbmEsShhr35Jp4lhO9n9JVwAZ7Zfvxq1c/5/3eOXBwJzqcfV8x+y/ 67RHN9D7mboD7hMzl9eC6qFzRurCrS1duxYlDcY2GbW7Lk69vSnmZUbz3HfbbhQ927liue8y/ 88Rr68wU5vpj7P8UN72etbPKZG6Fb7S2u2vzr/ICsDeJ5X972lM7W5fGne97/m4lOm9Jb0bjX o5b2aTE2gHz34GMwMGgSAEAAA=
X-Env-Sender: tim.hollebeek@digicert.com
X-Msg-Ref: server-13.tower-163.messagelabs.com!1513696225!169730748!1
X-Originating-IP: [207.46.163.80]
X-StarScan-Received:
X-StarScan-Version: 9.4.45; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 16144 invoked from network); 19 Dec 2017 15:10:28 -0000
Received: from mail-bl2nam02lp0080.outbound.protection.outlook.com (HELO NAM02-BL2-obe.outbound.protection.outlook.com) (207.46.163.80) by server-13.tower-163.messagelabs.com with AES256-SHA256 encrypted SMTP; 19 Dec 2017 15:10:28 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digicert.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=ivEN6FIOrndAYWcLfPWXuseLK22/hd9rLMrNUf1KbZw=; b=a+O+J/mYeVyGhR6LRI8oCB4CeG8xJCflOYCOn9+FihfvRi+DwqWYI0eqB7cLkdzfXeIqbPIMbBOQY4XbmlO9kK6ssi5wQvlo0STwSwTwI2PaarPaLKn1HK117tn5FhoM0ObD7A7cB6H1qHG/uUXnSN//2TRf9fd6MhXpY8lsTRk=
Received: from DM5PR14MB1289.namprd14.prod.outlook.com (10.173.132.19) by DM5PR14MB1292.namprd14.prod.outlook.com (10.173.132.22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.323.15; Tue, 19 Dec 2017 15:10:24 +0000
Received: from DM5PR14MB1289.namprd14.prod.outlook.com ([10.173.132.19]) by DM5PR14MB1289.namprd14.prod.outlook.com ([10.173.132.19]) with mapi id 15.20.0323.018; Tue, 19 Dec 2017 15:10:24 +0000
From: Tim Hollebeek <tim.hollebeek@digicert.com>
To: Phillip Hallam-Baker <phill@hallambaker.com>, Rob Stradling <rob.stradling@comodo.com>
CC: SPASM <spasm@ietf.org>
Thread-Topic: [lamps] CAA tags
Thread-Index: AdN4J3TZ60fppeKgRNaOHREkYP39nwADzsgAAAD5epAAAYUKgAACy0KAABGHCYAAEl7wYA==
Date: Tue, 19 Dec 2017 15:10:24 +0000
Message-ID: <DM5PR14MB12895956E401233B008525C6830F0@DM5PR14MB1289.namprd14.prod.outlook.com>
References: <DM5PR14MB1289FA2B76543ABAF16FD0EF830E0@DM5PR14MB1289.namprd14.prod.outlook.com> <0ab8efa3-378c-ece7-4fa3-913308f81c22@eff.org> <DM5PR14MB12895320D99FC570E797373F830E0@DM5PR14MB1289.namprd14.prod.outlook.com> <CAErg=HGMOVmvEoD=hy3rnTb=J1uQeu-SHrTn1JEeRnQuXzqg-Q@mail.gmail.com> <7531d7e2-2bdd-559a-2e40-286a3fe4a4f2@comodo.com> <CAMm+Lwg1+qt0sJfTY_ih+VjY9L7oMzX=ZRd0mxU7NR2Fxv8kQA@mail.gmail.com>
In-Reply-To: <CAMm+Lwg1+qt0sJfTY_ih+VjY9L7oMzX=ZRd0mxU7NR2Fxv8kQA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [74.111.107.128]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; DM5PR14MB1292; 6:2Nx31ba5x734ywvkzjNSrR1C8SHlSwpIV4jwNQrFkF/H7KJ5z00Gcc128amvRs4eqoUJJ7M4bHaK2/bTFLz0MEX3aFEzsORGbdWq1R76hqgRtQ0Jih1uFI+rFJtvCAWsPSxyvyubRYrs10hcCIvTFx4YKD7D9XYIz7N3bPuDsRZsql4KhPMNzCbSnHnKO7lAVg99ZL9D0/AjIFfowzXY8G9YZ2q1qcoJoRt197ff7BNRXi9PZ/j2UrU/wFrmiHU9vGUz+WLG0fXdUxFAPvW6dRHAYtQ3jo8w0XqHu14aeGThJh26s0ROehUCzhBzzpztpFMKJBTjWXJi7hRII4X3Ox/4020KH8qtJGWH4dKjC8E=; 5:1suTRWEXy2WNgFAwELJfFeyOU1umTT2VZva9sCrbbhV8m4cSgkVn9guxgsjehwWEKDm8ey+4VZWytOMOsoGHHI7nyFLbXQPYgZym9nzLc9hKhf6Mp9I/IhO24Eq/EPxyBUqJ+hZPodq8Q4JHwLI0AzwrGqeHMr24pb961ol0MFU=; 24:Zw3OoIJqqB5dmEWveuhsmwLsyNEJmPU9UOjWP3kIvF5t2C+tIwdzEpMH30v3uSbmwFAwC6hAehiw1/XOLL2xTL2yn28/GxF/r6QuEVVB6jM=; 7:mW8QePE0gCHitCDwB/4tMVZLpDkic2z4ZPemXtCxdkAjHGx3JmOXfRoPSEBEBAiOcvWNDSK+yn3vaptDcZ4cIhy0LrEnDbfKtAWLklT6xoL0yLW5BkrU3E/AD4SbdIFswEqjVUAfEs/ME+gajM8J68ZYhxQVmWAZyG+oWQspcZBcln81kVumlepfS3aI0xFNeKOIWhdKFtEjaF/cEfPhAx3wB6M0KUSNjmxT7cOLFs0V3Js+zNH8Aqq26Dl7RfAB
x-ms-exchange-antispam-srfa-diagnostics: SSOS;
x-ms-office365-filtering-correlation-id: 512947db-6488-469e-5f41-08d546f2a166
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(5600026)(4604075)(4534020)(4602075)(4603075)(4627115)(201702281549075)(2017052603307)(49563074); SRVR:DM5PR14MB1292;
x-ms-traffictypediagnostic: DM5PR14MB1292:
x-microsoft-antispam-prvs: <DM5PR14MB1292CDB8EC3B6DBB2E8526BD830F0@DM5PR14MB1292.namprd14.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(158342451672863)(209352067349851)(100405760836317)(21748063052155);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(102415395)(6040450)(2401047)(8121501046)(5005006)(3231023)(3002001)(10201501046)(93006095)(93001095)(6041248)(20161123564025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123555025)(20161123558100)(20161123560025)(2016111802025)(20161123562025)(6072148)(6043046)(201708071742011); SRVR:DM5PR14MB1292; BCL:0; PCL:0; RULEID:(100000803101)(100110400095); SRVR:DM5PR14MB1292;
x-forefront-prvs: 052670E5A4
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(376002)(366004)(39860400002)(396003)(346002)(24454002)(199004)(189003)(7736002)(6306002)(110136005)(6436002)(68736007)(97736004)(14454004)(53936002)(6506007)(81166006)(2906002)(478600001)(53546011)(86362001)(76176011)(99286004)(6246003)(7696005)(74316002)(316002)(8936002)(966005)(93886005)(54896002)(236005)(3660700001)(9686003)(66066001)(229853002)(25786009)(81156014)(77096006)(106356001)(99936001)(105586002)(606006)(2950100002)(33656002)(1680700002)(3846002)(6116002)(3280700002)(53386004)(8676002)(4326008)(2900100001)(102836003)(790700001)(55016002)(5660300001); DIR:OUT; SFP:1102; SCL:1; SRVR:DM5PR14MB1292; H:DM5PR14MB1289.namprd14.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: digicert.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=2.16.840.1.101.3.4.2.1; boundary="----=_NextPart_000_05E5_01D378A0.CE5DF180"
MIME-Version: 1.0
X-OriginatorOrg: digicert.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 512947db-6488-469e-5f41-08d546f2a166
X-MS-Exchange-CrossTenant-originalarrivaltime: 19 Dec 2017 15:10:24.5570 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: cf813fa1-bde5-4e75-9479-f6aaa8b1f284
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR14MB1292
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/1rOfydh7EsxqbkHlOUxkFvCfrGo>
Subject: Re: [lamps] CAA tags
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Dec 2017 15:10:31 -0000

Hmm, domain names as tags is an interesting idea I had not considered.  I’ll keep it in mind.  Thanks.

 

-Tim

 

From: Spasm [mailto:spasm-bounces@ietf.org] On Behalf Of Phillip Hallam-Baker
Sent: Monday, December 18, 2017 11:24 PM
To: Rob Stradling <rob.stradling@comodo.com>
Cc: SPASM <spasm@ietf.org>
Subject: Re: [lamps] CAA tags

 

We did indeed start with OIDs. But the reason I agreed to Domain Names was that the suggestion (I seem to remember it was Paul Hoffman) was obviously the right one. 

 

Most of the things people want to do with tags can be done with domain names. More importantly, it can be done outside the IETF. If you want 'any EV' issuer, get the CABForum to approve ev.cabforum.com <http://ev.cabforum.com>  for the purpose.

 

Restricting to specific validation methods is interesting and might be a justified use for the criticality flag. 

 

The other point to ponder is how a server that needs a cert discovers where the cert issuing service is. The idea was that if the CAA record specifies chosenca.com <http://chosenca.com> , a server would then be able to use that information to work out how to get a cert and automate the whole process.

 

 

Remember that at the time, there was this idea that DNS records should not make use of prefixes and should not make use of additional parsing beyond DNS record markers. At this point, I think we can safely ignore both notions as broken and if I was to do it again would suggest it just be a TXT type record. But we can't that's water under the bridge now, sorry.

 

 

 

 

 

On Mon, Dec 18, 2017 at 5:02 PM, Rob Stradling <rob.stradling@comodo.com <mailto:rob.stradling@comodo.com> > wrote:

On 18/12/17 20:42, Ryan Sleevi wrote:
<snip>

I think Jacob's suggestion of OIDs is not at all unreasonable, and avoids the ambiguities you raise and allows them to be addressed by policy in the Forum.


We had policy OIDs in early versions of the I-D [1] that later became RFC6844, but we had to strip this out in favour of domain names when the document was adopted by PKIX.  WG consensus and all that.

I'm not sure what that decision might mean for any other proposals to use OIDs with CAA.


[1] https://www.ietf.org/archive/id/draft-hallambaker-donotissue-04.txt

-- 
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online



_______________________________________________
Spasm mailing list
Spasm@ietf.org <mailto:Spasm@ietf.org> 
https://www.ietf.org/mailman/listinfo/spasm