Re: [lamps] CAA processing for email addresses

Corey Bonnell <Corey.Bonnell@digicert.com> Wed, 30 November 2022 20:48 UTC

Return-Path: <Corey.Bonnell@digicert.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7BE0EC157B39 for <spasm@ietfa.amsl.com>; Wed, 30 Nov 2022 12:48:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=digicert.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lsE_CBD0v-VB for <spasm@ietfa.amsl.com>; Wed, 30 Nov 2022 12:47:57 -0800 (PST)
Received: from NAM04-BN8-obe.outbound.protection.outlook.com (mail-bn8nam04on20721.outbound.protection.outlook.com [IPv6:2a01:111:f400:7e8d::721]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 152F4C159489 for <spasm@ietf.org>; Wed, 30 Nov 2022 12:47:52 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ct77uNvRKgSJYFrZAbDedb/di3bqZCmAOG7l068jNuwnaVvp8YnaSaVCoYfRaSNzZz6Zz0a+e5F7UD9K6MIQUY+y8DwjAOReJ6+gthPoIR1PRJ5NRtPc8hzTmJNUH1Zq4GdPr//0ZHupS+6NWBdihZHxlGS/dJMn+KYi0G/54xUARarKmOIIgz5+fJDwX8nId1lGKX7PDHG6JP5Qr3pEPwQ6KJSW8gdrHj31/EMF2MFlafXENHA1pKQYiELmjXupq72AluA8+6VSMie39nt/ewSQsp6T44AX4BKOXUP+n+viUndb+Vw8/Z24c1YvKnydFvIN/3MtNTy4KBSHjhERYw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=g0GHlBZ3slKBmj+NL2PaaGqKyD5MBRb80TgpUA+yXmc=; b=FiMQEE2tXtPXOqrP+XqkasJlG8Gm6t5sfY0AKrPKTBjq4RuYSE3Kj1qGKPhKjU8CeLVwbLws63yDFniWovOlhv71XDvm7kEZMNG2RKGKunF3xwI8TrjRtyTUD5LM2U6RtiUQVA1B6iga19vA7hMSwk1z6sueFgCwtSAgtbFOQ2peBibI8+ybbyJcKAWaCd5r5b2+QaZQ66SmT/aubSl/3ubxegRPRCTjESYfOzERjxXP/+0aoUJrtGjSRUn2WiCOTXuaKd5NU1NeAgdJPZkgxOwSC7hYg9iLprHR5fvmTau2GYWNFAL9M++BJJzXXSoRKIzmdTxQh+LHgD3PsLOK6Q==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=digicert.com; dmarc=pass action=none header.from=digicert.com; dkim=pass header.d=digicert.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digicert.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=g0GHlBZ3slKBmj+NL2PaaGqKyD5MBRb80TgpUA+yXmc=; b=ZnFeQ69aMT5MMThUQkz8YWSsZr1VWVHYoFKK7DFBVdG3OZ7LtCVvb4iU03QtRWhTUYcZ8tohOpL2IYrjdUpvRItfJqz/v7bTj1QFIBaDeP9Caxel3o6xEnakepnpe9k/wj9kVY9GoQLO7Zd+sZpS7EvHFjqhy6prh5XNKIfjH1PVetHzqMY1bjYEnSDKOWJOPZ+dv3KZIwLnCt4piCHg0vU6jbDOFtWutGFvnQfTS53VlN2R+cjajBFyhR0oNWp9y/W+xupGBwX+InQAlmpH+gMe0Far/uPfHvqZ5KC5Dy8ziLJPq1Zv3WdNrRRegQ3D7hjlkKYE/050HxDeYTFf7A==
Received: from DM6PR14MB2186.namprd14.prod.outlook.com (2603:10b6:5:b6::16) by BY5PR14MB4066.namprd14.prod.outlook.com (2603:10b6:a03:20b::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5880.8; Wed, 30 Nov 2022 20:47:47 +0000
Received: from DM6PR14MB2186.namprd14.prod.outlook.com ([fe80::c2c2:a770:a20b:58cf]) by DM6PR14MB2186.namprd14.prod.outlook.com ([fe80::c2c2:a770:a20b:58cf%5]) with mapi id 15.20.5880.008; Wed, 30 Nov 2022 20:47:46 +0000
From: Corey Bonnell <Corey.Bonnell@digicert.com>
To: Seo Suchan <tjtncks@gmail.com>, "spasm@ietf.org" <spasm@ietf.org>
Thread-Topic: [lamps] CAA processing for email addresses
Thread-Index: AdkE3JItxNBB7kz6RsOpvMkCMg4ICAAGdAEAAAEJlzA=
Date: Wed, 30 Nov 2022 20:47:46 +0000
Message-ID: <DM6PR14MB2186880BB993689D6CE890F292159@DM6PR14MB2186.namprd14.prod.outlook.com>
References: <DM6PR14MB2186A5E0A82D87085564B90D92159@DM6PR14MB2186.namprd14.prod.outlook.com> <5d2804c9-cd04-14e8-9fad-91254212e04d@gmail.com>
In-Reply-To: <5d2804c9-cd04-14e8-9fad-91254212e04d@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=digicert.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: DM6PR14MB2186:EE_|BY5PR14MB4066:EE_
x-ms-office365-filtering-correlation-id: e1f02ef3-4696-428b-c2b5-08dad3142304
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: TUBkFYI4q/L92EIBWaQ3vqVXGSZywztUXZ8/Beb277ABzSY3ecjR1m/bi3jOV36s8rplGsdod+TTFOZSw+VRA7HbU4I4MsyBMTgqmjoF9GS7gQ4zDNwuWsyRI+sSIpU8/LveyJnME4LI7LMmM+a+RGmrhKO4YIRXKKS0iNVrX7T7GqqBDSHiorANNfuPueHSGwlMelBVPbgNz+YTU5fpbLuHhIE+gsiVsmmfuOMWsTk2e30yvfCp7h3i13CwpYwKMX1hc8zlz+cCdoqlk13LLSUzEi7f6ziySiHQGVn3Kt+UbVKXq4i12IPIiAI8xvW09lQl7m2n7dzplh+3fFvngIjNOH/CES+Hv8v341yvoSOd16UZgGr5B0o/PVjHOwTCye5175cQoq/r2xcYhT+TRu8Dw7VBr8bQLBPqC0SeGZyZ2snyW3+lYDiHHpxRSFVDbqVV/8CZnF3uIwNuyP7Hm1RETAcDTzsLwEl9p0TUuLKBIHBUXBI7PvvAbi4m5BBYX+5Gg3wAphoEI2g7Lc93lbSV3yjjxMq0FAb097uq5EfbNPYf+yc1rd253w8gjvweFcRO4kiQkaRQRN2BWtF5KAvoCM1F6uDgK/o5oRKXO6ggDtPAUyah6TOkHjjv/fK9+G/kRU0vUocpXOYQLKPa8LrJ50f8umlSbIKkzKM+PDRL6lKf6wrLbvuIWgDNoskdkEJb5y7BL9H787bFX1D/Wvod3pKJJk3p9g9M+H/RLbVilvPVdE0Kkyjy6tI6LMuiBkhrXxRKY/VJ7rwhKRXabv+vPhikrw5cM6LNCZPZnhA=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM6PR14MB2186.namprd14.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230022)(366004)(39850400004)(396003)(136003)(376002)(346002)(451199015)(186003)(966005)(2906002)(83380400001)(7696005)(6506007)(9686003)(38100700002)(66946007)(8676002)(66446008)(64756008)(66476007)(41300700001)(76116006)(166002)(53546011)(66556008)(478600001)(71200400001)(99936003)(26005)(122000001)(33656002)(66574015)(8936002)(9326002)(5660300002)(86362001)(38070700005)(55016003)(110136005)(21615005)(316002)(52536014)(199583001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 7NwhMlCj3/zrW2gc9ahxfrUNjnv2tJekBbO8jSX1dMyiV1zMzICHst+o6wasyPZu7VOlZUr9QQB2uCwatWHJfbBoFdmBDD1u1gU3TWm82f+2susI47PjWKwhGIJhGTs5u8a2zu9OGiro3HTbTMSy4GN+Y2yMfbz3kk0wAyHrDpO+8BsXdoaIPpu95tmD1GhTmqfJpXtibGWOUCKRI/NDQ1P/F9ky7z+BgomZ9fAeXgpICg0Zg2FHj3jNelwFH4co/MabnFPmyYlBDzZLK78brCkudzTbs7ZlbN21iKeoDk0wGQRy4IkgJuELhiLkznr0+TLhcf/ZUYRJUxoNxA+RMM4rwTXgRJSh/oO8CDX8NGpcfhYpWS3Gxl8X8LimbMpnNyNxtcZtvOMyVuUuWdrRqYx3d7p+tHL5D9/h6JXujGYaGjPqu2GtpARUpJX+ej4dEwKIjIOpcEj4GYHcNVbf+yaja50iDoTpuNDzrXI3E7Ee0GxSKEsItgYSXsQdlTxM5/3zi5MGG6yges5W7LUEzRdYu7Y7XRPNsq3LNe66+8cxqx0dkngp5bN+g9aJFHshzPuoa2RxSHXJ4LIdvzEwRasc5wK/jZpVmHmERMj5KrM6ntMpWjK/8SoSc5ImCq3O2c1vG93RKWQQ5R8wgxl0FzM0YJVfVdkyWFAi/+4itoWfcCEjtc6XjSJrjjsZCz5qxASTNtrBSwSQuNQEDZ8RroLCLIf/ntyu+attIpF2VvaUlqyFbm/xwrw9F8ZOCBSZo+k83EpbMjhDZW1H+wQ9nSnxHI8as60FU25MIfUel0HRHEYwsAq9c9k9BdN/HMV/Yjvm8ELxc8rNDlLaafPp8ZzMCMUMvvJ0kSpAfK3YeMAJ++iVhRp4dzJ0tliCgBe+kOVmN6NXXsPwDMnHdAIAoiYRDSB2zvXsIG3NRtsL/Uru28FoFZcgCm5Mpe1R2990a3I0h+9Njv58tms9ArWbEgBdZxYN0CTtuYt/0CySdq2ygYcz2Df26YMOS96rHfXDcVE48fXioqeU0Qp8F7txUJJQDO2xDMnuZOKHkF/CvX+oqucICKVz/AMR4FzZl5olU+s/VaiqyA+fBBxRRWf2glwKbVgnP3paEqRFGz0JwroP5uEqOxjtIK9IXV0sL3ETgzlDuk8tj5UQ7/zJARLcxAVTq+Em1YPW5nJovMbYjiZq7qC/sB8Rn3rFJyhW2ajRqltIqEhGjBCfskGdFiKKc5shyr33Z1Ftw/RgTgeRTIjCJlUXCzff3INmqjd40F+aMaNXUoKgFTAhGDjwhwUoEqhk6K+LnXj8V+wvz5AJYiT+gP/gPc1hKUW9wDOZkR4P5PzwjKwwYeBsjly4Tb/d+TxIyW5mN5itrZPb42EqCCXKUxXsORGJoo+96jm8TyCdMD8BOjfr+41+auLXayKcD8WW5A4SBNV+Byr5gVgHgi40RpokKUL8wBF3NEbmAM9LhhNiyddU6tSQLUyoplOMiVOjXbvcCj05qCPqVm81dQek+FBxbK2ztcMuzWt3J8A9KPmS+lqf7BBxhfvy6AHzGW9zTVT0pjwpUW06SylrBF3ChCUfohZd99FulkpFeVRWkIVjByRVHyfhG01ifxTrnA==
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="2.16.840.1.101.3.4.2.1"; boundary="----=_NextPart_000_0296_01D904D3.16ED95E0"
MIME-Version: 1.0
X-OriginatorOrg: digicert.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DM6PR14MB2186.namprd14.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: e1f02ef3-4696-428b-c2b5-08dad3142304
X-MS-Exchange-CrossTenant-originalarrivaltime: 30 Nov 2022 20:47:46.6511 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: cf813fa1-bde5-4e75-9479-f6aaa8b1f284
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: y+eYtViVkEIYMV2kUxOY8ilGfmS74Qem3GuxcG7LD/E+BIPerhU3Bhfxzml014QixUIok/oKhLvGZ17rF/6/eX0FHIs09gw0znKbOPJoesU=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY5PR14MB4066
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/2H4jnTMx41E5FjuLh6FDFkOeTQ4>
Subject: Re: [lamps] CAA processing for email addresses
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Nov 2022 20:48:01 -0000

Hi Seo,

Comments inline.

 

*	1. marking this record critical will make block TLS certificate for that domain unless they understand this. I think that is a footgun worth mention.

 

Thanks, that’s a great point. I’ll make a note of this and add it to the Security Considerations in the next update.

 

*	2. there are 'free to register' email domains. would it be acceptable to them to limit client's certificate choice?

 

Fundamentally, CAA is a mechanism for domains to express the allowed set of CAs that may issue certificates. Given that the mailbox provider owns/controls the domain name in question, I believe it is entirely acceptable for such a mailbox provider to limit the set of CAs that can issue S/MIME certificates for the provider’s domain.

 

Thanks,

Corey

 

From: Spasm <spasm-bounces@ietf.org> On Behalf Of Seo Suchan
Sent: Wednesday, November 30, 2022 3:00 PM
To: spasm@ietf.org
Subject: Re: [lamps] CAA processing for email addresses

 

some thoughts:

1. marking this record critical will make block TLS certificate for that domain unless they understand this. I think that is a footgun worth mention.

2. there are 'free to register' email domains. would it be acceptable to them to limit client's certificate choice?

for example, Google can set a issuemail record on gmail.com with a contracted CA and force user go get s/mime from that CA.

2022-12-01 오전 2:17에 Corey Bonnell 이(가) 쓴 글:

Hello,

Over the past several years, there have been discussions [1][2][3] on extending CAA such that it can be used for domains to express restrictions on the issuance of certificates for email addresses (e.g., S/MIME certificates, etc.). With the recent passage of the initial version of the CA/Browser Forum S/MIME Baseline Requirements, there is a renewed interest in mandating that publicly trusted CAs process CAA records prior to the issuance of S/MIME certificates in an upcoming version of the requirements. In order to provide a full specification for CAA processing for email addresses, I drafted an I-D for a new CAA property tag: https://www.ietf.org/archive/id/draft-bonnell-caa-issuemail-00.html. I am hopeful that such a specification can be reviewed here such that any update to the S/MIME Baseline Requirements that mandates CAA processing can directly reference the specification.

 

Given that CAA is a topic that is firmly within the scope of this WG, I wanted to circulate the draft here and would appreciate feedback and comments.

 

Thanks,

Corey

 

[1] https://groups.google.com/g/mozilla.dev.security.policy/c/NIc2Nwa9Msg

[2] https://github.com/mozilla/pkipolicy/issues/135

[3] https://lists.cabforum.org/pipermail/smcwg-public/2020-October/000040.html

 





_______________________________________________
Spasm mailing list
Spasm@ietf.org <mailto:Spasm@ietf.org> 
https://www.ietf.org/mailman/listinfo/spasm